Legal provisions of COM(2021)420 - Prevention of the use of the financial system for the purposes of money laundering or terrorist financing - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)420 - Prevention of the use of the financial system for the purposes of money laundering or terrorist financing. |
|---|---|
| document | COM(2021)420  |
| date | May 31, 2024 |
CHAPTER I
GENERAL PROVISIONS
SECTION 1
Subject matter and definitions
Article 1
Subject matter
This Regulation lays down rules concerning:
| (a) | the measures to be applied by obliged entities to prevent money laundering and terrorist financing; |
| (b) | beneficial ownership transparency requirements for legal entities, express trusts and similar legal arrangements; |
| (c) | measures to limit the misuse of anonymous instruments. |
Article 2
Definitions
1. For the purposes of this Regulation, the following definitions apply:
| (1) | ‘money laundering’ means the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; |
| (2) | ‘terrorist financing’ means the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; |
| (3) | ‘criminal activity’ means criminal activity as defined in Article 2, point (1), of Directive (EU) 2018/1673, as well as fraud affecting the Union’s financial interests as defined in Article 3(2) of Directive (EU) 2017/1371, passive and active corruption as defined in Article 4 (2) and misappropriation as defined in Article 4(3), second subparagraph, of that Directive; |
| (4) | ‘funds’ or ‘property’ means property as defined in Article 2, point (2), of Directive (EU) 2018/1673; |
| (5) | ‘credit institution’ means:
|
| (6) | ‘financial institution’ means:
|
| (7) | ‘crypto-asset’ means a crypto-asset as defined in Article 3(1), point (5), of Regulation (EU) 2023/1114 except when falling under the categories listed in Article 2(4) of that Regulation; |
| (8) | ‘crypto-asset services’ means crypto-asset services as defined in Article 3(1), point (16), of Regulation (EU) 2023/1114, with the exception of providing advice on crypto-assets as referred to in Article 3(1), point (16)(h), of that Regulation; |
| (9) | ‘crypto-asset service provider’ means a crypto-asset service provider as defined in Article 3(1), point (15), of Regulation (EU) 2023/1114 where performing one or more crypto-asset services; |
| (10) | ‘financial mixed activity holding company’ means an undertaking, other than a financial holding company or a mixed financial holding company, which is not the subsidiary of another undertaking, the subsidiaries of which include at least one credit institution or financial institution; |
| (11) | ‘trust or company service provider’ means any natural or legal person that, by way of its business, provides any of the following services to third parties:
|
| (12) | ‘gambling service’ means a service which involves wagering a stake with monetary value in games of chance, including those with an element of skill, such as lotteries, casino games, poker games and betting transactions that are provided at a physical location, or by any means at a distance, by electronic means or any other technology for facilitating communication, and at the individual request of a recipient of services; |
| (13) | ‘non-financial mixed activity holding company’ means an undertaking, other than a financial holding company or a mixed financial holding company, which is not the subsidiary of another undertaking, the subsidiaries of which include at least one obliged entity as referred to in Article 3, point (3); |
| (14) | ‘self-hosted address’ means a self-hosted address as defined in Article 3, point (20), of Regulation (EU) 2023/1113; |
| (15) | ‘crowdfunding service provider’ means a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503; |
| (16) | ‘crowdfunding intermediary’ means an undertaking other than a crowdfunding service provider the business of which is to match or facilitate the matching, through an internet-based information system open to the public or to a limited number of funders, of:
|
| (17) | ‘electronic money’ means electronic money as defined in Article 2, point (2), of Directive 2009/110/EC of the European Parliament and of the Council (38), but excluding monetary value as referred to in Article 1(4) and (5) of that Directive; |
| (18) | ‘establishment’ means the actual pursuit by an obliged entity of an economic activity covered by Article 3 in a Member State or third country other than the country where its head office is located for an indefinite period and through a stable infrastructure, including:
|
| (19) | ‘business relationship’ means a business, professional or commercial relationship connected with the professional activities of an obliged entity, which is set up between an obliged entity and a customer, including in the absence of a written contract and which is expected to have, at the time when the contact is established, or which subsequently acquires, an element of repetition or duration; |
| (20) | ‘linked transactions’ means two or more transactions with either identical or similar origin, destination and purpose, or other relevant characteristics, over a specific period; |
| (21) | ‘third country’ means any jurisdiction, independent state or autonomous territory that is not part of the Union and that has its own AML/CFT legislation or enforcement regime; |
| (22) | ‘correspondent relationship’ means:
|
| (23) | ‘shell institution’ means:
|
| (24) | ‘crypto-asset account’ means a crypto-asset account as defined in Article 3, point (19), of Regulation (EU) 2023/1113; |
| (25) | ‘anonymity-enhancing coins’ means crypto-assets that have built-in features designed to make crypto-asset transfer information anonymous, either systematically or optionally; |
| (26) | ‘virtual IBAN’ means an identifier causing payments to be redirected to a payment account identified by an IBAN different from that identifier; |
| (27) | ‘Legal Entity Identifier’ means a unique alphanumeric reference code based on the ISO 17442 standard assigned to a legal entity; |
| (28) | ‘beneficial owner’ means any natural person who ultimately owns or controls a legal entity or an express trust or similar legal arrangement; |
| (29) | ‘express trust’ means a trust intentionally set up by the settlor, inter vivos or on death, usually in a form of written document, to place assets under the control of a trustee for the benefit of a beneficiary or for a specified purpose; |
| (30) | ‘objects of a power’ means the natural or legal persons or class of natural or legal persons among whom trustees may select the beneficiaries in a discretionary trust; |
| (31) | ‘default taker’ means the natural or legal persons or class of natural or legal persons who are the beneficiaries of a discretionary trust should the trustees fail to exercise their discretion; |
| (32) | ‘legal arrangement’ means an express trust or an arrangement which has a similar structure or function to an express trust, including fiducie and certain types of Treuhand and fideicomiso; |
| (33) | ‘basic information’ means:
|
| (34) | ‘politically exposed person’ means a natural person who is or has been entrusted with prominent public functions including:
|
| (35) | ‘family member’ means:
|
| (36) | ‘person known to be a close associate’ means:
|
| (37) | ‘management body’ means an obliged entity’s body or bodies, which are appointed in accordance with national law, which are empowered to set the obliged entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the obliged entity; where no such body exists, the person who effectively directs the business of the obliged entity; |
| (38) | ‘management body in its management function’ means the management body responsible for the day-to-day management of the obliged entity; |
| (39) | ‘management body in its supervisory function’ means the management body acting in its role of overseeing and monitoring management decision-making; |
| (40) | ‘senior management’ means the members of the management body in its management function, as well as officers and employees with sufficient knowledge of the obliged entity’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure; |
| (41) | ‘group’ means a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; |
| (42) | ‘parent undertaking’ means:
|
| (43) | ‘cash’ means cash as defined in Article 2(1), point (a), of Regulation (EU) 2018/1672 of the European Parliament and of the Council (39); |
| (44) | ‘competent authority’ means:
|
| (45) | ‘supervisor’ means the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; |
| (46) | ‘supervisory authority’ means a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; |
| (47) | ‘self-regulatory body’ means a body that represents members of a profession and has a role in regulating them, in performing certain supervisory or monitoring functions and in ensuring the enforcement of the rules relating to them; |
| (48) | ‘funds or other assets’ means any assets, including, but not limited to, financial assets, economic resources, including oil and other natural resources, property of every kind, whether tangible or intangible, movable or immovable, however acquired, and legal documents or instruments in any form, including electronic or digital, evidencing title to, or interest in, such funds or other assets, including, but not limited to, bank credits, travellers cheques, bank cheques, money orders, shares, securities, bonds, drafts, or letters of credit, and any interest, dividends or other income on or value accruing from or generated by such funds or other assets, and any other assets which potentially may be used to obtain funds, goods or services; |
| (49) | ‘targeted financial sanctions’ means both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 TEU and Council Regulations adopted on the basis of Article 215 TFEU; |
| (50) | ‘UN financial sanctions’ means both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated or listed persons and entities pursuant to:
|
| (51) | ‘UN financial sanctions relating to proliferation financing’ means both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated or listed persons and entities pursuant to:
|
| (52) | ‘professional football club’ means any legal person that is, owns or manages a football club that has been granted a licence and participates in the national football leagues in a Member State and whose players and staff are contractually engaged and are remunerated in exchange for their services; |
| (53) | ‘football agent’ means a natural or legal person who, for a fee, provides intermediary services and represents football players or professional football clubs in negotiations with a view to concluding a contract for a football player or represents professional football clubs in negotiations with a view to concluding an agreement for the transfer of a football player; |
| (54) | ‘high-value goods’ means goods listed in Annex IV; |
| (55) | ‘precious metals and stones’ means metals and stones listed in Annex V; |
| (56) | ‘cultural goods’ means goods listed in Annex I to Council Regulation (EC) No 116/2009 (40); |
| (57) | ‘partnership for information sharing’ means a mechanism that enables the sharing and processing of information between obliged entities and, where applicable, competent authorities referred to in point 44(a), (b) and (c), for the purposes of preventing and combating money laundering, its predicate offences and terrorist financing, whether at national level or on a cross-border basis, and regardless of the form of that partnership. |
2. Prominent public functions as referred to in paragraph 1, point (34), shall not be understood as covering middle-ranking or more junior officials.
3. Where justified by their administrative organisation and by risk, Member States may set lower thresholds for the designation of the following prominent public functions:
| (a) | members of governing bodies of political parties represented at regional or local level, as referred to in paragraph 1, point (34)(a)(iii); |
| (b) | heads of regional and local authorities, as referred to in paragraph 1, point (34)(a)(viii). |
Member States shall notify those lower thresholds to the Commission.
4. In relation to paragraph 1, point (34)(a)(vii) of this Article, where justified by their administrative organisation and by risk, Member States may set lower thresholds for the identification of enterprises controlled by regional or local authorities than those defined in Article 3(3), (4), (6) and (7) of Directive 2013/34/EU.
Member States shall notify those lower thresholds to the Commission.
5. Where justified by their social and cultural structures and by risk, Member States may apply a broader scope for the designation of siblings as family members of politically exposed persons, as referred to in paragraph 1, point (35)(d).
Member States shall notify that broader scope to the Commission.
SECTION 2
Scope
Article 3
Obliged entities
The following entities are to be considered obliged entities for the purposes of this Regulation:
| (1) | credit institutions; |
| (2) | financial institutions; |
| (3) | the following natural or legal persons acting in the exercise of their professional activities:
|
Article 4
Exemptions for certain providers of gambling services
1. Member States may decide to exempt, in full or in part, providers of gambling services from the requirements set out in this Regulation on the basis of the proven low risk posed by the nature and, where appropriate, the scale of operations of such services.
The exemption referred to in the first subparagraph shall not apply to:
| (a) | casinos; |
| (b) | providers of gambling services the principal activity of which is to provide online gambling services or sport betting services, other than:
|
2. For the purposes of paragraph 1, Member States shall carry out a risk assessment of gambling services assessing:
| (a) | money laundering and terrorist financing threats and vulnerabilities, and mitigating factors of the gambling services; |
| (b) | the risks linked to the size of the transactions and payment methods used; |
| (c) | the geographical area in which the gambling services are administered, including their cross border dimension and accessibility from other Member States or third countries. |
When carrying out the risk assessments referred to in the first subparagraph of this paragraph, Member States shall take into account the findings of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive(EU) 2024/1640.
3. Member States shall establish risk-based monitoring activities or take other adequate measures to ensure that the exemptions granted pursuant to this Article are not abused.
Article 5
Exemptions for certain professional football clubs
1. Member States may decide to exempt, in full or in part, professional football clubs that participate in the highest division of the national football league and that have a total annual turnover of less than EUR 5 000 000, or the equivalent in national currency, for each of the previous 2 calendar years from the requirements set out in this Regulation on the basis of the proven low risk posed by the nature and the scale of operation of such professional football clubs.
Member States may decide to exempt, in full or in part, professional football clubs that participate in a division lower than the highest division of the national football league from the requirements set out in this Regulation on the basis of proven low risk posed by the nature and the scale of operation of such professional football clubs.
2. For the purposes of paragraph 1, Member States shall carry out a risk assessment of the professional football clubs assessing:
| (a) | money laundering and terrorist financing threats and vulnerabilities, and mitigating factors of the professional football clubs; |
| (b) | the risks linked to the size and cross-border nature of the transactions. |
When carrying out the risk assessments referred to in the first subparagraph of this paragraph, Member States shall take into account the findings of the risk assessments at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640.
3. Member States shall establish risk-based monitoring activities or take other adequate measures to ensure that the exemptions granted pursuant to this Article are not abused.
Article 6
Exemptions for certain financial activities
1. With the exception of persons engaged in the activity of money remittance as defined in Article 4, point (22), of Directive (EU) 2015/2366, Member States may decide to exempt legal or natural persons that engage in a financial activity as listed in Annex I, points (2) to (12), (14) and (15), to Directive 2013/36/EU on an occasional or very limited basis where there is little risk of money laundering or terrorist financing from the requirements set out in this Regulation, provided that all of the following criteria are met:
| (a) | the financial activity is limited in absolute terms; |
| (b) | the financial activity is limited on a transaction basis; |
| (c) | the financial activity is not the main activity of such persons; |
| (d) | the financial activity is ancillary and directly related to the main activity of such persons; |
| (e) | the main activity of such persons is not an activity referred to in Article 3, point (3)(a) to (d) or (g) of this Regulation; |
| (f) | the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public. |
2. For the purposes of paragraph 1, point (a), Member States shall require that the total turnover of the financial activity does not exceed a threshold which shall be sufficiently low. That threshold shall be established at national level, depending on the type of financial activity.
3. For the purposes of paragraph 1, point (b), Member States shall apply a maximum threshold per customer and per single transaction, whether the transaction is carried out in a single operation or through linked transactions. That maximum threshold shall be established at national level, depending on the type of financial activity. It shall be sufficiently low in order to ensure that the types of transactions in question are an impractical and inefficient method for money laundering or terrorist financing, and shall not exceed EUR 1 000 or the equivalent in national currency, irrespective of the means of payment.
4. For the purposes of paragraph 1, point (c), Member States shall require that the turnover of the financial activity does not exceed 5 % of the total turnover of the natural or legal person concerned.
5. In assessing the risk of money laundering or terrorist financing for the purposes of this Article, Member States shall pay particular attention to any financial activity which is considered to be particularly likely, by its nature, to be used or abused for the purposes of money laundering or terrorist financing.
6. Member States shall establish risk-based monitoring activities or take other adequate measures to ensure that the exemptions granted pursuant to this Article are not abused.
Article 7
Prior notification of exemptions
1. Member States shall notify the Commission of any exemption that they intend to grant in accordance with Articles 4, 5 and 6 without delay. The notification shall include a justification based on the relevant risk assessment carried out by the Member State to sustain the exemption.
2. The Commission shall within 2 months of the notification referred to in paragraph 1 take one of the following actions:
| (a) | confirm that the exemption may be granted on the basis of the justification given by the Member State; |
| (b) | by reasoned decision, declare that the exemption may not be granted. |
For the purposes of the first subparagraph, the Commission may request additional information from the notifying Member State.
3. Upon receipt of a confirmation by the Commission pursuant to paragraph 2, point (a), of this Article, Member States may adopt a decision granting the exemption. The decision shall state the reasons on which it is based. Member States shall review such decisions regularly, and in any case when they update their national risk assessment pursuant to Article 8 of Directive (EU) 2024/1640.
4. By 10 October 2027, Member States shall notify to the Commission the exemptions granted pursuant to Article 2(2) and (3) of Directive (EU) 2015/849 in place on 10 July 2027.
5. The Commission shall publish every year in the Official Journal of the European Union the list of exemptions granted pursuant to this Article and make that list publicly available on its website.
SECTION 3
Cross-border operations
Article 8
Notification of cross-border operations and application of national law
1. Obliged entities wishing to carry out activities within the territory of another Member State for the first time shall notify the supervisors of their home Member State of the activities which they intend to carry out in that other Member State. That notification shall be submitted as soon as the obliged entity takes steps to carry out the activities, and, in the case of establishments at least 3 months prior to the commencement of those activities. Obliged entities shall immediately notify the supervisors of their home Member State upon commencement of those activities in that other Member State.
The first subparagraph shall not apply to obliged entities subject to specific notification procedures for the exercise of the freedom of establishment and of the freedom to provide services under other Union legal acts or to cases where the obliged entity is subject to specific authorisation requirements in order to operate in the territory of that other Member State.
2. Any planned change to the information communicated under paragraph 1 shall be communicated by the obliged entity to the supervisor of the home Member State at least 1 month before making the change.
3. Where this Regulation allows Member States to adopt additional rules applicable to obliged entities, obliged entities shall comply with the national rules of the Member State in which they are established.
4. Where obliged entities operate establishments in several Member States, they shall ensure that each establishment applies the rules of the Member State in which it is located.
5. Where obliged entities as referred to in Article 38(1) of Directive (EU) 2024/1640 operate, in other Member States than the one where they are established through agents, distributors, or through other types of infrastructure located in those other Member States under the freedom to provide services, they shall apply the rules of the Member States in which they provide services in relation to those activities, unless Article 38(2) of that Directive applies, in which case they shall apply the rules of the Member State where their head office is located.
6. Where obliged entities are required to appoint a central contact point pursuant to Article 41 of Directive (EU) 2024/1640, they shall ensure that the central contact point is able to ensure compliance with applicable law on behalf of the obliged entity.
CHAPTER II
INTERNAL POLICIES, PROCEDURES AND CONTROLS OF OBLIGED ENTITIES
SECTION 1
Internal policies, procedures and controls, risk assessment and staff
Article 9
Scope of internal policies, procedures and controls
1. Obliged entities shall have in place internal policies, procedures and controls in order to ensure compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor and in particular to:
| (a) | mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity; |
| (b) | in addition to the obligation to apply targeted financial sanctions, mitigate and manage the risks of non-implementation and evasion of targeted financial sanctions. |
The policies, procedures and controls referred to in the first subparagraph shall be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and shall cover all the activities of the obliged entity that fall under the scope of this Regulation.
2. The policies, procedures and controls referred to in paragraph 1 shall include:
| (a) | internal policies and procedures, including in particular:
|
| (b) | internal controls and an independent audit function to test the internal policies and procedures referred to in point (a) of this paragraph and the controls in place in the obliged entity; in the absence of an independent audit function, obliged entities may have this test carried out by an external expert. |
The internal policies, procedures and controls set out in the first subparagraph shall be recorded in writing. Internal policies shall be approved by the management body in its management function. Internal procedures and controls shall be approved at least at the level of the compliance manager.
3. The obliged entities shall keep the internal policies, procedures and controls up-to-date, and enhance them where weaknesses are identified.
4. By 10 July 2026, AMLA shall issue guidelines on the elements that obliged entities should take into account, based on the nature of their business, including its risks and complexity, and their size, when deciding on the extent of their internal policies, procedures and controls, in particular as regards the staff allocated to the compliance functions. Those guidelines shall also identify situations where, due to the nature and size of the obliged entity:
| (i) | internal controls are to be organised at the level of the commercial function, of the compliance function and of the audit function; |
| (ii) | the independent audit function can be carried out by an external expert. |
Article 10
Business-wide risk assessment
1. Obliged entities shall take appropriate measures, proportionate to the nature of their business, including its risks and complexity, and their size, to identify and assess the risks of money laundering and terrorist financing to which they are exposed, as well as the risks of non-implementation and evasion of targeted financial sanctions, taking into account at least:
| (a) | the risk variables set out in Annex I and the risk factors set out in Annexes II and III; |
| (b) | the findings of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640; |
| (c) | the findings of the national risk assessments carried out by the Member States pursuant to Article 8 of Directive (EU) 2024/1640, as well as of any relevant sector-specific risk assessment carried out by the Member States; |
| (d) | relevant information published by international standard setters in the AML/CFT area or, at the level of the Union, relevant publications by the Commission or by AMLA; |
| (e) | information on money laundering and terrorist financing risks provided by competent authorities; |
| (f) | information on the customer base. |
Prior to the launch of new products, services or business practices, including the use of new delivery channels and new or developing technologies, in conjunction with new or pre-existing products and services or before starting to provide an existing service or product to a new customer segment or in a new geographical area, obliged entities shall identify and assess, in particular, the related money laundering and terrorist financing risks and take appropriate measures to manage and mitigate those risks.
2. The business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1 shall be documented, kept up-to-date and regularly reviewed, including where any internal or external events significantly affect the money laundering and terrorist financing risks associated with the activities, products, transactions, delivery channels, customers or geographical zones of activities of the obliged entity. It shall be made available to supervisors upon request.
The business-wide risk assessment shall be drawn up by the compliance officer and approved by the management body in its management function and, where such body exists, communicated to the management body in its supervisory function.
3. With the exception of credit institutions, financial institutions, crowdfunding service providers and crowdfunding intermediaries, supervisors may decide that individual documented business-wide risk assessments are not required where the specific risks inherent in the sector are clear and understood.
4. By 10 July 2026, AMLA shall issue guidelines on the minimum requirements for the content of the business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1, and on the additional sources of information to be taken into account when carrying out the business-wide risk assessment.
Article 11
Compliance functions
1. Obliged entities shall appoint one member of the management body in its management function who shall be responsible for ensuring compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor (‘compliance manager’).
The compliance manager shall ensure that the obliged entity’s internal policies, procedures and controls are consistent with the obliged entity’s risk exposure and that they are implemented. The compliance manager shall also ensure that sufficient human and material resources are allocated to that end. The compliance manager shall be responsible for receiving information on significant or material weaknesses in such policies, procedures and controls.
Where the management body in its management function is a body collectively responsible for its decisions, the compliance manager shall be responsible for assisting and advising it and for preparing the decisions referred to in this Article.
2. Obliged entities shall have a compliance officer, to be appointed by the management body in its management function and with sufficiently high hierarchical standing, who shall be responsible for the policies, procedures and controls in the day-to-day operation of the obliged entity’s AML/CFT requirements, including in relation to the implementation of targeted financial sanctions, and shall be a contact point for competent authorities. The compliance officer shall also be responsible for reporting suspicious transactions to the FIU in accordance with Article 69(6).
In the case of obliged entities subject to checks on their senior management or beneficial owners pursuant to Article 6 of Directive (EU) 2024/1640 or under other Union legal acts, compliance officers shall be subject to verification that they comply with those requirements.
Where justified by the size of the obliged entity and the low risk of its activities, an obliged entity that is part of a group may appoint as its compliance officer an individual who performs that function in another entity within that group.
The compliance officer may only be removed following prior notification to the management body in its management function. The obliged entity shall notify the supervisor of the removal of the compliance officer, specifying whether the decision relates to the carrying out of the tasks assigned under this Regulation. The compliance officer may, on his or her own initiative or upon request, provide information to the supervisor concerning the removal. The supervisor may use that information to perform its tasks under the second subparagraph of this paragraph and under Article 37(4) of Directive (EU) 2024/1640.
3. Obliged entities shall provide the compliance functions with adequate resources, including staff and technology, in proportion to the size, nature and risks of the obliged entity for effective performance of their tasks, and shall ensure that the persons responsible for those functions are granted the powers to propose any measures necessary to ensure the effectiveness of the obliged entity’s internal policies, procedures and controls.
4. Obliged entities shall take measures to ensure that the compliance officer is protected against retaliation, discrimination and any other unfair treatment, and that decisions of the compliance officer are not undermined or unduly influenced by commercial interests of the obliged entity.
5. Obliged entities shall ensure that the compliance officer and the person responsible for the audit function referred to in Article 9(2), point (b), can report directly to the management body in its management function and, where such a body exists, to the management body in its supervisory function independently, and can raise concerns and warn the management body, where specific risk developments affect or may affect the obliged entity.
Obliged entities shall ensure that the persons directly or indirectly participating in implementation of this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor, have access to all information and data necessary to perform their tasks.
6. The compliance manager shall regularly report on the implementation of the obliged entity’s internal policies, procedures and controls to the management body. In particular, the compliance manager shall submit once a year, or, where appropriate, more frequently, to the management body a report on the implementation of the obliged entity’s internal policies, procedures and controls drawn up by the compliance officer, and shall keep that body informed of the outcome of any reviews. The compliance manager shall take the necessary actions to remedy in a timely manner any deficiencies identified.
7. Where the nature of the business of the obliged entity, including its risks and complexity, and its size justify it, the functions of the compliance manager and the compliance officer may be performed by the same natural person. Those functions may be cumulated with other functions.
Where the obliged entity is a natural person or a legal person whose activities are performed by one natural person only, that person shall be responsible for performing the tasks under this Article.
Article 12
Awareness of requirements
Obliged entities shall take measures to ensure that their employees or persons in comparable positions whose function so requires, including their agents and distributors are aware of the requirements arising from this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor, and of the business-wide risk assessment, internal policies, procedures and controls in place in the obliged entity, including in relation to the processing of personal data for the purposes of this Regulation.
The measures referred to in the first paragraph shall include the participation of employees or persons in comparable positions, including agents and distributors, in specific, ongoing training programmes to help them recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases. Such training programmes shall be appropriate to their functions or activities and to the risks of money laundering and terrorist financing to which the obliged entity is exposed, and shall be duly documented.
Article 13
Integrity of employees
1. Any employee, or person in a comparable position, including agents and distributors, directly participating in the obliged entity’s compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor, shall undergo an assessment commensurate with the risks associated with the tasks performed and whose content is approved by the compliance officer of:
| (a) | individual skills, knowledge and expertise to carry out their functions effectively; |
| (b) | good repute, honesty and integrity. |
The assessment referred to in the first subparagraph shall be performed prior to taking up of activities by the employee or person in a comparable position, including agents and distributors, and shall be regularly repeated. The intensity of the subsequent assessments shall be determined on the basis of the tasks entrusted to the person and risks associated with the function they perform.
2. Employees, or persons in comparable positions, including agents and distributors, entrusted with tasks related to the obliged entity’s compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor, shall inform the compliance officer of any close private or professional relationship established with the obliged entity’s customers or prospective customers and shall be prevented from undertaking any tasks related to the obliged entity’s compliance in relation to those customers.
3. Obliged entities shall have in place procedures to prevent and manage conflicts of interest that may affect the carrying out of tasks related to the obliged entity’s compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor.
4. This Article shall not apply where the obliged entity is a natural person or a legal person whose activities are performed by one natural person only.
Article 14
Reporting of breaches and protection of reporting persons
1. Directive (EU) 2019/1937 of the European Parliament and of the Council (41) shall apply to the reporting of breaches of this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor, and to the protection of persons reporting such breaches.
2. Obliged entities shall establish internal reporting channels that meet the requirements set out in Directive (EU) 2019/1937.
3. Paragraph 2 shall not apply where the obliged entity is a natural person or a legal person whose activities are performed by one natural person only.
Article 15
Situation of specific employees
Where a natural person falling within any of the categories listed in Article 3, point (3) performs professional activities as an employee of a legal person, the requirements laid down in this Regulation shall apply to that legal person rather than to the natural person.
SECTION 2
Provisions applying to groups
Article 16
Group-wide requirements
1. A parent undertaking shall ensure that the requirements on internal procedures, risk assessment and staff referred to in Section 1 of this Chapter apply in all branches and subsidiaries of the group in the Member States and, for groups whose head office is located in the Union, in third countries. To this end, a parent undertaking shall perform a group-wide risk assessment, taking into account the business-wide risk assessment performed by all branches and subsidiaries of the group, and establish and implement group-wide policies, procedures and controls, including on data protection and on information sharing within the group for AML/CFT purposes and to ensure that employees within the group are aware of the requirements arising from this Regulation. Obliged entities within the group shall implement those group-wide policies, procedures and controls, taking into account their specificities and the risks to which they are exposed.
The group-wide policies, procedures and controls and the group-wide risk assessments referred to in the first subparagraph shall include all the elements listed in Articles 9 and 10, respectively.
For the purposes of the first subparagraph, where a group has establishments in more than one Member State and, for groups whose head office is located in the Union, in third countries, parent undertakings shall take into account the information published by the authorities of all the Member States or third countries where the group’s establishments are located.
2. Compliance functions shall be established at the level of the group. Those functions shall include a compliance manager at the level of the group and, where justified by the activities carried out at group level, a compliance officer. The decision on the extent of the compliance functions shall be documented.
The compliance manager referred to in the first subparagraph shall regularly report to the management body in its management function of the parent undertaking on the implementation of the group-wide policies, procedures and controls. At a minimum, the compliance manager shall submit once a year a report on the implementation of the obliged entity’s internal policies, procedures and controls and shall take the necessary actions to remedy in a timely manner any deficiencies identified. Where the management body in its management function is a body collectively responsible for its decisions, the compliance manager shall assist and advise it, and shall prepare the decisions necessary for the implementation of this Article.
3. The policies, procedures and controls pertaining to the sharing of information referred to in paragraph 1 shall require obliged entities within the group to exchange information when such sharing is relevant for the purposes of customer due diligence and money laundering and terrorist financing risk management. The sharing of information within the group shall cover in particular the identity and characteristics of the customer, its beneficial owners or the person on behalf of whom the customer acts, the nature and purpose of the business relationship and of the occasional transactions and the suspicions, accompanied by the underlying analyses, that funds are the proceeds of criminal activity or are related to terrorist financing reported to FIU pursuant to Article 69, unless otherwise instructed by the FIU.
The group-wide policies, procedures and controls shall not prevent entities within a group which are not obliged entities to provide information to obliged entities within the same group where such sharing is relevant for those obliged entities to comply with requirements set out in this Regulation.
Parent undertakings shall put in place group-wide policies, procedures and controls to ensure that the information exchanged pursuant to the first and second subparagraphs is subject to sufficient guarantees in terms of confidentiality, data protection and use of the information, including to prevent its disclosure.
4. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify the minimum requirements of group-wide policies, procedures and controls, including minimum standards for information sharing within the group, the criteria for identifying the parent undertaking in the cases covered by Article 2(1), point (42)(b), and the conditions under which the provisions of this Article apply to entities that are part of structures which share common ownership, management or compliance control, including networks or partnerships, as well as the criteria for identifying the parent undertaking in the Union in those cases.
5. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 4 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.
Article 17
Branches and subsidiaries in third countries
1. Where branches or subsidiaries of obliged entities are located in third countries where the minimum AML/CFT requirements are less strict than those set out in this Regulation, the parent undertaking shall ensure that those branches or subsidiaries comply with the requirements laid down in this Regulation, including requirements concerning data protection, or equivalent.
2. Where the law of a third country does not permit compliance with this Regulation, the parent undertaking shall take additional measures to ensure that branches and subsidiaries in that third country effectively handle the risk of money laundering or terrorist financing, and shall inform the supervisors of its home Member State of those additional measures. Where the supervisors of the home Member State consider that the additional measures are not sufficient, they shall exercise additional supervisory actions, including requiring the group not to enter into any business relationship, to terminate existing ones or not to undertake transactions, or to close down its operations in the third country.
3. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify the type of additional measures referred to in paragraph 2 of this Article, including the minimum action to be taken by obliged entities where the law of a third country does not permit the implementation of the measures required under Article 16 and the additional supervisory actions required in such cases.
4. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.
SECTION 3
Outsourcing
Article 18
Outsourcing
1. Obliged entities may outsource tasks resulting from this Regulation to service providers. The obliged entity shall notify the supervisor of the outsourcing before the service provider starts to carry out the outsourced task.
2. When performing tasks under this Article, service providers shall be regarded as part of the obliged entity, including where they are required to consult the central registers referred to in Article 10 of Directive (EU) 2024/1640 (‘central registers’) for the purposes of carrying out customer due diligence on behalf of the obliged entity.
The obliged entity shall remain fully liable for any action, whether an act of commission or omission, connected to the outsourced tasks that are carried out by service providers.
For each outsourced task, the obliged entity shall be able to demonstrate to the supervisor that it understands the rationale behind the activities carried out by the service provider and the approach followed in their implementation, and that such activities mitigate the specific risks to which the obliged entity is exposed.
3. The tasks outsourced pursuant to paragraph 1 of this Article shall not be undertaken in such a way as to impair materially the quality of the obliged entity’s policies and procedures to comply with the requirements of this Regulation and of Regulation (EU) 2023/1113, and of the controls in place to test those policies and procedures. The following tasks shall not be outsourced under any circumstances:
| (a) | the proposal and approval of the obliged entity’s business-wide risk assessment pursuant to Article 10(2); |
| (b) | the approval of the obliged entity’s internal policies, procedures and controls pursuant to Article 9; |
| (c) | decision on the risk profile to be attributed to the customer; |
| (d) | the decision to enter into a business relationship or carry out an occasional transaction with a client; |
| (e) | the reporting to FIU of suspicious activities pursuant to Article 69 or threshold-based reports pursuant to Article 74 and 80, except where such activities are outsourced to another obliged entity belonging to the same group and established in the same Member State; |
| (f) | the approval of the criteria for the detection of suspicious or unusual transactions and activities. |
4. Before an obliged entity outsources a task pursuant to paragraph 1, it shall assure itself that the service provider is sufficiently qualified to carry out the tasks to be outsourced.
Where an obliged entity outsources a task pursuant to paragraph 1, it shall ensure that the service provider, as well as any subsequent sub-outsourcing service provider, applies the policies and procedures adopted by the obliged entity. The conditions for the performance of such tasks shall be laid down in a written agreement between the obliged entity and the service provider. The obliged entity shall perform regular controls to ascertain the effective implementation of such policies and procedures by the service provider. The frequency of such controls shall be determined on the basis of the critical nature of the tasks outsourced.
5. Obliged entities shall ensure that outsourcing is not undertaken in such way as to impair materially the ability of the supervisory authorities to monitor and retrace the obliged entity’s compliance with this Regulation and Regulation (EU) 2023/1113.
6. By way of derogation from paragraph 1, obliged entities shall not outsource tasks deriving from the requirements under this Regulation to service providers residing or established in third countries identified pursuant to Section 2 of Chapter III, unless all of the following conditions are met:
| (a) | the obliged entity outsources tasks solely to a service provider that is part of the same group; |
| (b) | the group applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countries; |
| (c) | the effective implementation of the requirements referred to in point (b) of this paragraph is supervised at group level by the supervisory authority of the home Member State in accordance with Chapter IV of Directive (EU) 2024/1640. |
7. By way of derogation from paragraph 3, where a collective investment undertaking has no legal personality, or has only a board of directors and has delegated the processing of subscriptions and the collection of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 from investors to another entity, it may outsource the task referred to in paragraph 3, points (c), (d) and (e) to one of its service providers.
The outsourcing referred to in the first subparagraph of this paragraph may only take place after the collective investment undertaking has notified its intention to outsource the task to the supervisor pursuant to paragraph 1, and the supervisor has approved such outsourcing taking into consideration:
| (a) | the resources, experience and knowledge of the service provider in relation to the prevention of money laundering and terrorist financing; |
| (b) | the knowledge of the service provider of the type of activities or transactions carried out by the collective investment undertaking. |
8. By 10 July 2027, AMLA shall issue guidelines addressed to obliged entities on:
| (a) | the establishment of outsourcing relationships, including any subsequent outsourcing relationship, in accordance with this Article, their governance and procedures for monitoring the implementation of functions by the service provider and in particular those functions that are to be regarded as critical; |
| (b) | the roles and responsibility of the obliged entity and the service provider within an outsourcing agreement; |
| (c) | supervisory approaches to outsourcing as well as supervisory expectations regarding the outsourcing of critical functions. |
CHAPTER III
CUSTOMER DUE DILIGENCE
SECTION 1
General provisions
Article 19
Application of customer due diligence measures
1. Obliged entities shall apply customer due diligence measures in any of the following circumstances:
| (a) | when establishing a business relationship; |
| (b) | when carrying out an occasional transaction of a value of at least EUR 10 000, or the equivalent in national currency, whether that transaction is carried out in a single operation or through linked transactions, or a lower value laid down pursuant to paragraph 9; |
| (c) | when participating in the creation of a legal entity, the setting up of a legal arrangement or, for the obliged entities referred to in Article 3, points (3) (a), (b) or (c), in the transfer of ownership of a legal entity, irrespective of the value of the transaction; |
| (d) | when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold; |
| (e) | when there are doubts about the veracity or adequacy of previously obtained customer identification data; |
| (f) | when there are doubts as to whether the person they interact with is the customer or person authorised to act on behalf of the customer. |
2. In addition to the circumstances referred to in paragraph 1, credit institutions and financial institutions, with the exception of crypto-asset service providers, shall apply customer due diligence measures when initiating or executing an occasional transaction that constitutes a transfer of funds as defined in Article 3, point (9), of Regulation (EU) 2023/1113, that amounts to a value of at least EUR 1 000, or the equivalent in national currency, whether that transaction is carried out in a single operation or through linked transactions.
3. By way of derogation from paragraph 1, point (b), crypto-asset service providers shall:
| (a) | apply customer due diligence measures when carrying out an occasional transaction that amounts to a value of at least EUR 1 000, or the equivalent in national currency, whether the transaction is carried out in a single operation or through linked transactions; |
| (b) | apply at least customer due diligence measures referred to in Article 20(1), point (a), when carrying out an occasional transaction where the value is below EUR 1 000, or the equivalent in national currency, whether the transaction is carried out in a single operation or through linked transactions. |
4. By way of derogation from paragraph 1, point (b), obliged entities shall apply at least customer due diligence measures referred to in Article 20(1), point (a), when carrying out an occasional transaction in cash amounting to a value of at least EUR 3 000, or the equivalent in national currency, whether the transaction is carried out in a single operation or through linked transactions.
The first subparagraph of this paragraph shall not apply where Member States have in place, pursuant to Article 80(2) and (3), a limit to large cash payments of EUR 3 000 or less, or the equivalent in national currency, except in the cases covered by paragraph 4, point (b) of that Article.
5. In addition to the circumstances referred to in paragraph 1, providers of gambling services shall apply customer due diligence measures upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to at least EUR 2 000 or the equivalent in national currency, whether the transaction is carried out in a single operation or through linked transactions.
6. For the purposes of this Chapter, obliged entities shall consider as their customers the following persons:
| (a) | in the case of obliged entities as referred to in Article 3, points (3) (e), (f) and (i) and persons trading in high value goods as referred to in Article 3, point (3) (j), in addition to their direct customer, the supplier of goods; |
| (b) | in the case of notaries, lawyers and other independent legal professionals intermediating a transaction and to the extent that they are the only notary or lawyer or other independent legal professional intermediating that transaction, both parties to the transaction; |
| (c) | in the case of real estate agents, both parties to the transaction; |
| (d) | in relation to payment initiation services carried out by payment initiation service providers, the merchant; |
| (e) | in relation to crowdfunding service providers and crowdfunding intermediaries, the natural or legal person both seeking funding and providing funding through the crowdfunding platform. |
7. Supervisors may, directly or in cooperation with other authorities in that Member State, exempt obliged entities from applying, in full or in part, the customer due diligence measures referred to in Article 20(1), points (a), (b) and (c), with respect to electronic money on the basis of the proven low risk posed by the nature of the product, where all of the following risk-mitigating conditions are met:
| (a) | the payment instrument is not reloadable, and the amount stored electronically does not exceed EUR 150 or the equivalent in national currency; |
| (b) | the payment instrument is used exclusively to purchase goods or services provided by the issuer, or within a network of service providers; |
| (c) | the payment instrument is not linked to a payment account and it does not permit any stored amount to be exchanged for cash or for crypto-assets; |
| (d) | the issuer carries out sufficient monitoring of the transactions or business relationship to enable the detection of unusual or suspicious transactions. |
8. Providers of gambling services may fulfil their obligation to apply customer due diligence measures referred to in Article 20(1), point (a), by identifying the customer and verifying the customer’s identity upon entry to the casino or other physical gambling premises, provided that they have systems in place that enable them to attribute transactions to specific customers.
9. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify:
| (a) | the obliged entities, sectors or transactions that are associated with higher money laundering and terrorist financing risk and to which a value lower than the value set out in paragraph 1, point (b), applies; |
| (b) | the related occasional transaction values; |
| (c) | the criteria to be taken into account for identifying occasional transactions and business relationships; |
| (d) | the criteria to identify linked transactions. |
When developing the draft regulatory technical standards referred to in the first subparagraph, AMLA shall take due account of the inherent levels of risks of the business models of the different types of obliged entities and of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640.
10. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 9 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.
Article 20
Customer due diligence measures
1. For the purpose of conducting customer due diligence, obliged entities shall apply all of the following measures:
| (a) | identifying the customer and verifying the customer’s identity; |
| (b) | identifying the beneficial owners and taking reasonable measures to verify their identity so that the obliged entity is satisfied that it knows who the beneficial owner is and that it understands the ownership and control structure of the customer; |
| (c) | assessing and, as appropriate, obtaining information on and understanding the purpose and intended nature of the business relationship or the occasional transactions; |
| (d) | verifying whether the customer or the beneficial owners are subject to targeted financial sanctions, and, in the case of a customer or party to a legal arrangement who is a legal entity, whether natural or legal persons subject to targeted financial sanctions control the legal entity or have more than 50 % of the proprietary rights of that legal entity or majority interest in it, whether individually or collectively; |
| (e) | assessing and, as appropriate, obtaining information on the nature of the customers’ business, including, in the case of undertakings, whether they carry out activities, or of their employment or occupation; |
| (f) | conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of the business relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds; |
| (g) | determining whether the customer, the beneficial owner of the customer and, where relevant, the person on whose behalf or for the benefit of whom a transaction or activity is being carried out is a politically exposed person, a family member or person known to be a close associate; |
| (h) | where a transaction or activity is being conducted on behalf of or for the benefit of natural persons other than the customer, identifying and verifying the identity of those natural persons; |
| (i) | verifying that any person purporting to act on behalf of the customer is so authorised and identify and verify their identity. |
2. Obliged entities shall determine the extent of the measures referred to in paragraph 1 on the basis of an individual analysis of the risks of money laundering and terrorist financing having regard to the specific characteristics of the client and of the business relationship or occasional transaction, and taking into account the business-wide risk assessment by the obliged entity pursuant to Article 10 and the money laundering and terrorist financing variables set out in Annex I as well as the risk factors set out in Annexes II and III.
Where obliged entities identify an increased risk of money laundering or terrorist financing they shall apply enhanced due diligence measures pursuant to Section 4 of this Chapter. Where situations of lower risk are identified, obliged entities may apply simplified due diligence measures pursuant to Section 3 of this Chapter.
3. By 10 July 2026, AMLA shall issue guidelines on the risk variables and risk factors to be taken into account by obliged entities when entering into business relationships or carrying out occasional transactions.
4. Obliged entities shall at all times be able to demonstrate to their supervisors that the measures taken are appropriate in view of the risks of money laundering and terrorist financing that have been identified.
Article 21
Inability to comply with the requirement to apply customer due diligence measures
1. Where an obliged entity is unable to comply with the requirement to apply customer due diligence measures laid down in Article 20(1), it shall refrain from carrying out a transaction or establishing a business relationship, and shall terminate the business relationship and consider reporting a suspicious transaction to the FIU in relation to the customer in accordance with Article 69.
The termination of a business relationship pursuant to the first subparagraph of this paragraph shall not prohibit the receipt of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 due to the obliged entity.
Where an obliged entity has a duty to protect its customer’s assets, the termination of the business relationship shall not be understood as requiring the disposal of the assets of the customer.
In the case of life insurance contracts, obliged entities shall, where necessary as an alternative measure to terminating the business relationship, refrain from performing transactions for the customer, including payouts to beneficiaries, until the customer due diligence measures laid down in Article 20(1) are complied with.
2. Paragraph 1 shall not apply to notaries, lawyers, other independent legal professionals, auditors, external accountants and tax advisors, to the extent that those persons ascertain the legal position of their client, or perform the task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings.
The first subparagraph shall not apply when the obliged entities referred to therein:
| (a) | take part in money laundering, its predicate offences or terrorist financing; |
| (b) | provide legal advice for the purposes of money laundering, its predicate offences or terrorist financing; or |
| (c) | know that the client is seeking legal advice for the purposes of money laundering, its predicate offences or terrorist financing; knowledge or purpose may be inferred from objective factual circumstances. |
3. Obliged entities shall keep record of the actions taken in order to comply with the requirement to apply customer due diligence measures, including records of the decisions taken and the relevant supporting documents and justifications. Documents, data or information held by the obliged entity shall be updated whenever the customer due diligence is reviewed pursuant to Article 26.
The obligation to keep records provided for in the first subparagraph of this paragraph shall also apply to situations where obliged entities refuse to enter into a business relationship, terminate a business relationship or apply alternative measures pursuant to paragraph 1.
4. By 10 July 2027, AMLA shall issue joint guidelines with the European Banking Authority on the measures that may be taken by credit institutions and financial institutions to ensure compliance with AML/CFT rules when implementing the requirements of Directive 2014/92/EU, including in relation to business relationships that are most affected by de-risking practices.
Article 22
Identification and verification of the identity of customers and beneficial owners
1. With the exception of cases of lower risk to which measures under Section 3 apply and irrespective of the application of additional measures in cases of higher risk under Section 4 obliged entities shall obtain at least the following information in order to identify the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted:
| (a) | for a natural person:
|
| (b) | for a legal entity:
|
| (c) | for a trustee of an express trust or a person holding an equivalent position in a similar legal arrangement:
|
| (d) | for other organisations that have legal capacity under national law:
|
2. For the purposes of identifying the beneficial owner of a legal entity or of a legal arrangement, obliged entities shall collect the information referred to in Article 62(1), second subparagraph, point (a).
Where, after having exhausted all possible means of identification, no natural persons are identified as beneficial owners, or where there are doubts that the persons identified are the beneficial owners, obliged entities shall record that no beneficial owner was identified and identify all the natural persons holding the positions of senior managing officials in the legal entity and shall verify their identity.
Where the performance of identity verification referred to in the second subparagraph may tip off the customer that the obliged entity has doubts regarding the beneficial ownership of the legal entity, the obliged entity shall abstain from verifying the senior managing officials’ identity, and shall instead record the steps taken to ascertain the identity of the beneficial owners and senior managing officials. Obliged entities shall keep records of the actions taken as well as of the difficulties encountered during the identification process, which led to resorting to the identification of a senior managing official.
3. Credit institutions and financial institutions shall obtain information to identify and verify the identity of the natural or legal persons using any virtual IBAN they issue, and the associated bank or payment account.
The credit institution or financial institution servicing the bank or payment account to which a virtual IBAN issued by another credit institution or financial institution redirects payments, shall ensure that it can obtain from the institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN without delay and in any case within 5 working days of it requesting that information.
4. In the case of beneficiaries of trusts or similar legal entities or arrangements that are designated by particular characteristics or class, an obliged entity shall obtain sufficient information concerning the beneficiary so that it will be able to establish the identity of the beneficiary at the time of the payout or at the time of the exercise by the beneficiary of its vested rights.
5. In the case of discretionary trusts, an obliged entity shall obtain sufficient information concerning the objects of a power and default takers to enable it to establish the identity of the beneficiary at the time of the exercise by the trustees of their power of discretion, or at the time that the default takers become the beneficiaries due to the trustees’ failure to exercise their power of discretion.
6. Obliged entities shall obtain the information, documents and data necessary for the verification of the identity of the customer and of any person purporting to act on their behalf through either of the following means:
| (a) | the submission of an identity document, passport or equivalent and, where relevant, the acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer; |
| (b) | the use of electronic identification means which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’ and relevant qualified trust services as set out in that Regulation. |
7. Obliged entities shall verify the identity of the beneficial owner and, where relevant, the persons on whose behalf or for the benefit of whom a transaction or activity is being carried out in either of the following ways:
| (a) | in accordance with paragraph 6; |
| (b) | by taking reasonable measures to obtain the necessary information, documents and data from the customer or other reliable sources, including public registers other than the central registers. |
Obliged entities shall determine the extent of the information to be consulted, having regard to the risks posed by the occasional transaction or the business relationship and the beneficial owner, including risks relating to the ownership structure.
In addition to the means of verification set out in the first subparagraph of this paragraph, obliged entities shall verify the information on the beneficial owners by consulting the central registers.
Article 23
Timing of the verification of the customer and beneficial owner identity
1. Verification of the identity of the customer, the beneficial owner, and of any persons pursuant to Article 20(1), points (h) and (i), shall take place before the establishment of a business relationship or the carrying out of an occasional transaction. Such obligation shall not apply to situations of lower risk under Section 3 of this Chapter, provided that the lower risk justifies postponement of such verification.
For real estate agents, the verification referred to in the first subparagraph shall be carried out after an offer is accepted by the seller or lessor, and in all cases before any funds or property are transferred.
2. By way of derogation from paragraph 1, verification of the identity of the customer and of the beneficial owner may be completed during the establishment of a business relationship if necessary so as not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing. In such situations, those procedures shall be completed as soon as practicable after initial contact.
3. By way of derogation from paragraph 1 of this Article, a credit institution or financial institution may open an account, including accounts that permit transactions in transferable securities, as may be required by a customer provided that there are adequate safeguards in place to ensure that transactions are not carried out by the customer or on its behalf until full compliance with the customer due diligence measures laid down in Article 20(1), points (a) and (b), is obtained.
4. Whenever entering into a new business relationship with a legal entity or the trustee of an express trust or the person holding an equivalent position in a similar legal arrangement referred to in Articles 51, 57, 58, 61 and 67 and subject to the registration of beneficial ownership information pursuant to Article 10 of Directive (EU) 2024/1640, obliged entities shall collect valid proof of registration or a recently issued excerpt of the register confirming validity of registration.
Article 24
Reporting of discrepancies with information contained in beneficial ownership registers
1. Obliged entities shall report to the central registers any discrepancies they find between the information available in the central registers and the information they collect pursuant to Article 20(1), point (b), and Article 22(7).
The discrepancies referred to in the first subparagraph shall be reported without undue delay and, in any case, within 14 calendar days of their detection. When reporting such discrepancies, obliged entities shall accompany their reports with information they have obtained indicating the discrepancy and whom they consider to be the beneficial owners and, where applicable, the nominee shareholders and nominee directors to be and why.
2. By way of derogation from paragraph 1, obliged entities may refrain from reporting discrepancies to the central register and may instead request additional information from the customers where the discrepancies identified:
| (a) | are limited to typographical errors, different ways of transliteration, or minor inaccuracies that do not affect the identification of the beneficial owners or their position; or |
| (b) | are a result of outdated data, but the beneficial owners are known to the obliged entity from another reliable source and there are no grounds for suspicion that there is an intention to conceal any information. |
Where an obliged entity concludes that the beneficial ownership information in the central register is incorrect, it shall invite the customer to submit the correct information to the central register pursuant to Articles 63, 64 and 67 without undue delay, and, in any case, within 14 calendar days.
This paragraph shall not apply to cases of higher risk to which measures under Section 4 of this Chapter apply.
3. Where a customer has not submitted the correct information within the deadline referred to in paragraph 2, second subparagraph, the obliged entity shall report the discrepancy to the central register in accordance with paragraph 1, second subparagraph.
4. This Article shall not apply to notaries, lawyers, other independent legal professionals, auditors, external accountants and tax advisors in relation to information they receive from, or obtain on, a client, in the course of ascertaining the legal position of that client, or performing their task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, regardless of whether such information is received or obtained before, during or after such proceedings.
However, the requirements of this Article shall apply when the obliged entities referred to in the first subparagraph of this paragraph provide legal advice in any of the situations covered by Article 21(2), second subparagraph.
Article 25
Identification of the purpose and intended nature of a business relationship or occasional transaction
Before entering into a business relationship or performing an occasional transaction, an obliged entity shall assure itself that it understands its purpose and intended nature. To that end, the obliged entity shall obtain, where necessary, information on:
| (a) | the purpose and economic rationale of the occasional transaction or business relationship; |
| (b) | the estimated amount of the envisaged activities; |
| (c) | the source of funds; |
| (d) | the destination of funds; |
| (e) | the business activity or the occupation of the customer. |
For the purposes of the first paragraph, point (a), of this Article, obliged entities covered by Article 74 shall collect information in order to determine whether the intended use of high value goods referred to in that Article is for commercial or non-commercial purposes.
Article 26
Ongoing monitoring of the business relationship and monitoring of transactions performed by customers
1. Obliged entities shall conduct ongoing monitoring of business relationships, including transactions undertaken by the customer throughout the course of a business relationship, to ensure that those transactions are consistent with the obliged entity’s knowledge of the customer, the customer’s business activity and risk profile, and where necessary, with the information about the origin and destination of the funds and to detect those transactions that shall be made subject to a more thorough assessment pursuant to Article 69(2).
Where business relationships cover more than one product or service, obliged entities shall ensure that the customer due diligence measures cover all those products and services.
Where obliged entities belonging to a group have business relationships with customers that are also the customers of other entities within that group, whether obliged entities or undertakings not subject to AML/CFT requirements, they shall take into account information relating to those other business relationships for the purposes of monitoring the business relationship with their customers.
2. In the context of the ongoing monitoring referred to in paragraph 1, obliged entities shall ensure that the relevant documents, data or information of the customer are kept up to date.
The period between updates of customer information pursuant to the first subparagraph shall be dependent on the risk posed by the business relationship and shall not in any case exceed:
| (a) | for higher risk customers to which measures under Section 4 of this Chapter apply, 1 year; |
| (b) | for all other customers, 5 years. |
3. In addition to the requirements set out in paragraph 2, obliged entities shall review and, where relevant, update the customer information where:
| (a) | there is a change in the relevant circumstances of a customer; |
| (b) | the obliged entity has a legal obligation in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owners or to comply with Council Directive 2011/16/EU (42); |
| (c) | they become aware of a relevant fact which pertains to the customer. |
4. In addition to the ongoing monitoring referred to in paragraph 1 of this Article, obliged entities shall regularly verify whether the conditions laid down in Article 20(1), point (d), are met. The frequency of that verification shall be commensurate with the exposure of the obliged entity and the business relationship to risks of non-implementation and evasion of targeted financial sanctions.
For credit institutions and financial institutions, the verification referred to in the first subparagraph shall also be carried out upon any new designation in relation to targeted financial sanctions.
The requirements of this paragraph shall not replace the obligation to apply targeted financial sanctions or stricter requirements under other Union legal acts or under national law on the verification of the client base against lists of targeted financial sanctions.
5. By 10 July 2026, AMLA shall issue guidelines on ongoing monitoring of a business relationship and on the monitoring of the transactions carried out in the context of such relationship.
Article 27
Temporary measures for customers subject to UN financial sanctions
1. In respect of customers that are subject to UN financial sanctions or that are controlled by natural or legal persons or entities subject to UN financial sanctions, or in which natural or legal persons or entities that are subject to UN financial sanctions have more than 50 % of the proprietary rights or majority interest, whether individually or collectively, obliged entities shall keep records of:
| (a) | the funds or other assets that they manage for the customer at the time when UN financial sanctions are made public; |
| (b) | the transactions attempted by the customer; |
| (c) | the transactions carried out for the customer. |
2. Obliged entities shall apply this Article between the time that UN financial sanctions are made public and the time of application of the relevant targeted financial sanctions in the Union.
Article 28
Regulatory technical standards on the information necessary for the performance of customer due diligence
1. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify:
| (a) | the requirements that apply to obliged entities pursuant to Article 20 and the information to be collected for the purpose of performing standard, simplified and enhanced due diligence pursuant to Articles 22 and 25 and Articles 33(1) and 34(4), including minimum requirements in situations of lower risk; |
| (b) | the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 33(1) of this Regulation, including measures applicable to specific categories of obliged entities and products or services, having regard to the results of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640; |
| (c) | the risk factors associated with features of electronic money instruments that should be taken into account by supervisors when determining the extent of the exemption under Article 19(7); |
| (d) | the reliable and independent sources of information that may be used to verify the identification data of natural or legal persons for the purposes of Article 22(6) and (7); |
| (e) | the list of attributes which electronic identification means and relevant qualified trust services referred to in Article 22(6), point (b), must feature in order to fulfil the requirements of Article 20(1), points (a) and (b), in the case of standard, simplified and enhanced due diligence. |
2. The requirements and measures referred to in paragraph 1, points (a) and (b), shall be based on the following criteria:
| (a) | the inherent risk involved in the service provided; |
| (b) | the risks associated with categories of customers; |
| (c) | the nature, amount and recurrence of the transaction; |
| (d) | the channels used for conducting the business relationship or the occasional transaction. |
3. AMLA shall review regularly the regulatory technical standards and, if necessary, prepare and submit to the Commission the draft for updating those standards in order, inter alia, to take account of innovation and technological developments.
4. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraphs 1 and 3 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.
SECTION 2
Third-country policy and money laundering and terrorist financing threats from outside the Union
Article 29
Identification of third countries with significant strategic deficiencies in their national AML/CFT regimes
1. Third countries with significant strategic deficiencies in their national AML/CFT regimes shall be identified by the Commission and designated as ‘high-risk third countries’.
2. In order to identify third countries as referred to in paragraph 1 of this Article, the Commission is empowered to adopt delegated acts in accordance with Article 85 to supplement this Regulation, where:
| (a) | significant strategic deficiencies in the legal and institutional AML/CFT framework of the third country have been identified; |
| (b) | significant strategic deficiencies in the effectiveness of the third country’s AML/CFT system in addressing money laundering and terrorist financing risks or in its system to assess and mitigate risks of non-implementation or evasion of UN financial sanctions relating to proliferation financing have been identified; |
| (c) | the significant strategic deficiencies identified under points (a) and (b) are of a persistent nature and no measures to mitigate them have been taken or are being taken. |
Those delegated acts shall be adopted within 20 calendar days of the Commission ascertaining that the criteria in point (a), (b) or (c) of the first subparagraph are met.
3. For the purposes of paragraph 2, the Commission shall take into account calls for the application of enhanced due diligence measures and additional mitigating measures (‘countermeasures’) by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing, as well as relevant evaluations, assessments, reports or public statements drawn up by them.
4. Where a third country is identified in accordance with the criteria referred to in paragraph 2, obliged entities shall apply enhanced due diligence measures listed in Article 34(4) with respect to the business relationships or occasional transactions involving natural or legal persons from that third country.
5. The delegated act referred to in paragraph 2 shall identify among the countermeasures listed in Article 35 the specific countermeasures mitigating specific risks stemming from each high-risk third country.
6. Where a Member State identifies a specific money laundering or terrorist financing risk posed by a third country that the Commission has identified in accordance with the criteria referred to in paragraph 2 which is not addressed by the countermeasures referred to in paragraph 5, it may require obliged entities established in its territory to apply specific additional countermeasures to mitigate the specific risks stemming from that third country. The risk identified and the corresponding countermeasures shall be notified to the Commission within 5 days of the countermeasures being applied.
7. The Commission shall review the delegated acts referred to in paragraph 2 on a regular basis to ensure that the specific countermeasures identified pursuant to paragraph 5 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
Upon receiving a notification pursuant to paragraph 6, the Commission shall assess the information received to determine whether country-specific risks affect the integrity of the Union’s internal market. Where appropriate, the Commission shall review the delegated acts referred to in paragraph 2, by adding the necessary countermeasures to mitigate those additional risks. Where the Commission considers that the specific additional measures applied by a Member State under paragraph 6 are not necessary to mitigate specific risks stemming from that third country, it may decide, by means of an implementing act, that the Member State shall put an end to the specific additional countermeasure.
Article 30
Identification of third countries with compliance weaknesses in their national AML/CFT regimes
1. Third countries with compliance weaknesses in their national AML/CFT regimes shall be identified by the Commission.
2. In order to identify the third countries referred to in paragraph 1, the Commission is empowered to adopt delegated acts in accordance with Article 85 to supplement this Regulation, where:
| (a) | compliance weaknesses in the legal and institutional AML/CFT framework of the third country have been identified; |
| (b) | compliance weaknesses in the effectiveness of the third country’s AML/CFT system in addressing money laundering and terrorist financing risks or in its system to assess and mitigate risks of non-implementation or evasion of UN financial sanctions relating to proliferation financing have been identified. |
Those delegated acts shall be adopted within 20 calendar days of the Commission ascertaining that the criteria in point (a) or (b) of the first subparagraph are met.
3. The Commission, when drawing up the delegated acts referred to in paragraph 2 shall take into account, as a baseline for its assessment, information on jurisdictions under increased monitoring by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing, as well as relevant evaluations, assessments, reports or public statements drawn up by them.
4. The delegated act referred to in paragraph 2 shall identify the specific enhanced due diligence measures among those listed in Article 34(4), that obliged entities shall apply to mitigate risks related to business relationships or occasional transactions involving natural or legal persons from that third country.
5. The Commission shall review the delegated acts referred to in paragraph 2 on a regular basis to ensure that the specific enhanced due diligence measures identified pursuant to paragraph 4 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
Article 31
Identification of third countries posing a specific and serious threat to the Union’s financial system
1. The Commission is empowered to adopt delegated acts in accordance with Article 85 to supplement this Regulation by identifying third countries where in exceptional cases it considers it indispensable to mitigate a specific and serious threat to the Union’s financial system and the proper functioning of the internal market posed by those third countries, and which cannot be mitigated pursuant to Articles 29 and 30.
2. The Commission, when drawing up the delegated acts referred to in paragraph 1, shall take into account in particular the following criteria:
| (a) | the legal and institutional AML/CFT framework of the third country, in particular:
|
| (b) | the powers and procedures of the third country’s competent authorities for the purposes of combating money laundering and terrorist financing including appropriately effective, proportionate and dissuasive sanctions, as well as the third country’s practice in cooperation and exchange of information with Member States’ competent authorities; |
| (c) | the effectiveness of the third country’s AML/CFT system in addressing money laundering and terrorist financing risks. |
3. For the purposes of determining the level of threat referred to in paragraph 1, the Commission may request AMLA to adopt an opinion aimed at assessing the specific impact on the integrity of the Union’s financial system due to the level of threat posed by a third country.
4. Where AMLA identifies that a third country other than those identified pursuant to Articles 29 and 30 poses a specific and serious threat to the Union’s financial system, it may address an opinion to the Commission setting out the threat it has identified and why it believes that the Commission should identify the third country pursuant to paragraph 1.
Where the Commission decides not to identify the third country referred to in the first subparagraph, it shall provide a justification thereof to AMLA.
5. The Commission, when drawing up the delegated acts referred to in paragraph 1, shall take into account in particular relevant evaluations, assessments or reports drawn up by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing.
6. Where the identified specific and serious threat from the third country concerned amounts to a significant strategic deficiency, Article 29(4) shall apply and the delegated act referred to in paragraph 1 of this Article shall identify specific countermeasures as referred to in Article 29(5).
7. Where the identified specific and serious threat from the third country concerned amounts to a compliance weakness, the delegated act referred to in paragraph 1 shall identify specific enhanced due diligence measures among those listed in Article 34(4), that obliged entities shall apply to mitigate risks related to business relationships or occasional transactions involving natural or legal persons from that third country.
8. The Commission shall review the delegated acts referred to in paragraph 1 on a regular basis to ensure that the countermeasures referred to in paragraph 6 and enhanced due diligence measures referred to in paragraph 7 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
9. The Commission may adopt, by means of an implementing act, the methodology for the identification of third countries pursuant to this Article. That implementing act shall set out, in particular:
| (a) | how the criteria referred to in paragraph 2 are assessed; |
| (b) | the process for interaction with the third country under assessment; |
| (c) | the process for involvement of Member States and AMLA in the identification of third countries posing a specific and serious threat to the Union’s financial system. |
The implementing act referred to in the first subparagraph of this paragraph shall be adopted in accordance with the examination procedure referred to in Article 86(2).
Article 32
Guidelines on money laundering and terrorist financing risks, trends and methods
1. By 10 July 2027, AMLA shall issue guidelines defining the money laundering and terrorist financing risks, trends and methods involving any geographical area outside the Union to which obliged entities are exposed. AMLA shall take into account, in particular, the risk factors listed in Annex III. Where situations of higher risk are identified, the guidelines shall include enhanced due diligence measures that obliged entities shall consider applying to mitigate such risks.
2. AMLA shall review the guidelines referred to in paragraph 1 at least every 2 years.
3. When issuing and reviewing the guidelines referred to in paragraph 1, AMLA shall take into account evaluations, assessments or reports of Union institutions, bodies, offices and agencies, international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing.
SECTION 3
Simplified due diligence
Article 33
Simplified due diligence measures
1. Where, taking into account the risk factors set out in Annexes II and III, the business relationship or transaction present a low degree of risk, obliged entities may apply the following simplified due diligence measures:
| (a) | verifying the identity of the customer and the beneficial owner after the establishment of the business relationship, provided that the specific lower risk identified justified such postponement, but in any case no later than 60 days of the relationship being established; |
| (b) | reducing the frequency of customer identification updates; |
| (c) | reducing the amount of information collected to identify the purpose and intended nature of the business relationship or occasional transaction or inferring it from the type of transactions or business relationship established; |
| (d) | reducing the frequency or degree of scrutiny of transactions carried out by the customer; |
| (e) | applying any other relevant simplified due diligence measure identified by AMLA pursuant to Article 28. |
The measures referred to in the first subparagraph shall be proportionate to the nature and size of the business and to the specific elements of lower risk identified. However, obliged entities shall carry out sufficient monitoring of the transactions and business relationship to enable the detection of unusual or suspicious transactions.
2. Obliged entities shall ensure that the internal procedures established pursuant to Article 9 contain the specific measures of simplified verification that shall be taken in relation to the different types of customers that present a lower risk. Obliged entities shall document decisions to take into account additional factors of lower risk.
3. For the purpose of applying simplified due diligence measures referred to in paragraph 1, point (a), obliged entities shall adopt risk management procedures with respect to the conditions under which they can provide services or perform transactions for a customer prior to the verification taking place, including by limiting the amount, number or types of transactions that can be performed or by monitoring transactions to ensure that they are in line with the expected norms for the business relationship at hand.
4. Obliged entities shall verify on a regular basis that the conditions for the application of simplified due diligence measures continue to exist. The frequency of such verifications shall be commensurate with the nature and size of the business and the risks posed by the specific relationship.
5. Obliged entities shall refrain from applying simplified due diligence measures in any of the following situations:
| (a) | the obliged entities have doubts as to the veracity of the information provided by the customer or the beneficial owner at the stage of identification, or they detect inconsistencies regarding that information; |
| (b) | the factors indicating a lower risk are no longer present; |
| (c) | the monitoring of the customer’s transactions and the information collected in the context of the business relationship exclude a lower risk scenario; |
| (d) | there is a suspicion of money laundering or terrorist financing; |
| (e) | there is a suspicion that the customer, or the person acting on behalf of the customer, is attempting to circumvent or evade targeted financial sanctions. |
SECTION 4
Enhanced due diligence
Article 34
Scope of application of enhanced due diligence measures
1. In the cases referred to in Articles 29, 30, 31 and 36 to 46, as well as in other cases of higher risk that are identified by obliged entities pursuant to Article 20(2), second subparagraph, obliged entities shall apply enhanced due diligence measures to manage and mitigate such risks appropriately.
2. Obliged entities shall examine the origin and destination of funds involved in, and the purpose of, all transactions that fulfil at least one of the following conditions:
| (a) | the transaction is of a complex nature; |
| (b) | the transaction is unusually large; |
| (c) | the transaction is conducted in an unusual pattern; |
| (d) | the transaction does not have an apparent economic or lawful purpose. |
3. With the exception of the cases covered by Section 2 of this Chapter, when assessing the risks of money laundering and terrorist financing posed by a business relationship or occasional transaction, obliged entities shall take into account at least the factors of potential higher risk set out in Annex III and the guidelines adopted by AMLA pursuant to Article 32, as well as any other indicators of higher risk such as notifications issued by the FIU and findings of the business-wide risk assessment under Article 10.
4. With the exception of the cases covered by Section 2 of this Chapter, in cases of higher risk as referred to in paragraph 1 of this Article, obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures:
| (a) | obtaining additional information on the customer and the beneficial owners; |
| (b) | obtaining additional information on the intended nature of the business relationship; |
| (c) | obtaining additional information on the source of funds, and source of wealth of the customer and of the beneficial owners; |
| (d) | obtaining information on the reasons for the intended or performed transactions and their consistency with the business relationship; |
| (e) | obtaining the approval of senior management for establishing or continuing the business relationship; |
| (f) | conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination; |
| (g) | requiring the first payment to be carried out through an account in the customer’s name with a credit institution subject to customer due diligence standards that are not less robust than those laid down in this Regulation. |
5. Where a business relationship that is identified as having a higher risk involves the handling of assets with a value of at least EUR 5 000 000, or the equivalent in national or foreign currency, through personalised services for a customer holding total assets with a value of at least EUR 50 000 000, or the equivalent in national or foreign currency, whether in financial, investable or real estate assets, or a combination thereof, excluding that customer’s private residence, credit institutions, financial institutions and trust or company service providers shall apply the following enhanced due diligence measures, in addition to any enhanced due diligence measure applied pursuant to paragraph 4:
| (a) | specific measures including procedures to mitigate risks associated with personalised services and products offered to that customer; |
| (b) | obtaining additional information on that customer’s source of funds; |
| (c) | preventing and managing conflicts of interest between the customer and senior management or employees of the obliged entity that undertake tasks related to that obliged entity’s compliance in relation to that customer. |
By 10 July 2027, AMLA shall issue guidelines on the measures to be taken by credit institutions, financial institutions and trust or company service providers to establish whether a customer holds total assets with a value of at least EUR 50 000 000, or the equivalent in national or foreign currency, in financial, investable or real estate assets and how to determine that value.
6. With the exception of the cases covered by Section 2 of this Chapter, where Member States identify cases of higher risks pursuant to Article 8 of Directive (EU) 2024/1640, including as a result of sectoral risk assessments carried out by the Member States, they may require obliged entities to apply enhanced due diligence measures and, where appropriate, specify those measures. Member States shall notify to the Commission and AMLA their decisions imposing enhanced due diligence requirements upon obliged entities established in their territory within 1 month of their adoption, accompanied by a justification of the money laundering and terrorist financing risks underpinning such decision.
Where the risks identified by Member States pursuant to the first subparagraph are likely to stem from outside the Union and may affect the Union’s financial system, AMLA shall, upon a request from the Commission or on its own initiative, consider updating the guidelines adopted pursuant to Article 32.
7. The Commission is empowered to adopt delegated acts in accordance with Article 85 to supplement this Regulation where it identifies additional cases of higher risk as referred to in paragraph 1 of this Article that affect the Union as a whole and enhanced due diligence measures that obliged entities are to apply in those cases, taking into account the notifications by Member States pursuant to paragraph 6, first subparagraph, of this Article.
8. Enhanced due diligence measures shall not be invoked automatically with respect to branches or subsidiaries of obliged entities established in the Union which are located in third countries referred to in Articles 29, 30 and 31 where those branches or subsidiaries fully comply with the group-wide policies, procedures and controls in accordance with Article 17.
Article 35
Countermeasures to mitigate money laundering and terrorist financing threats from outside the Union
For the purposes of Articles 29 and 31, the Commission may choose from among the following countermeasures:
| (a) | countermeasures that obliged entities are to apply to persons and legal entities involving high-risk third countries and, where relevant, other countries posing a threat to the Union’s financial system consisting in:
|
| (b) | countermeasures that Member States are to apply with regard to high-risk third countries and, where relevant, other countries posing a threat to the Union’s financial system consisting in:
|
Article 36
Specific enhanced due diligence measures for cross-border correspondent relationships
With respect to cross-border correspondent relationships, including relationships established for securities transactions or fund transfers, involving the execution of payments with a third-country respondent institution, in addition to the customer due diligence measures laid down in Article 20, credit institutions and financial institutions shall, when entering into a business relationship, be required to:
| (a) | gather sufficient information about the respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision; |
| (b) | assess the respondent institution’s AML/CFT controls; |
| (c) | obtain approval from senior management before establishing new correspondent relationships; |
| (d) | document the respective responsibilities of each institution; |
| (e) | with respect to payable-through accounts, be satisfied that the respondent institution has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent institution, and that it is able to provide relevant customer due diligence data to the correspondent institution, upon request. |
Where credit institutions and financial institutions decide to terminate cross-border correspondent relationships for reasons relating to AML/CFT policy, they shall document their decision.
Article 37
Specific enhanced due diligence measures for cross-border correspondent relationships for crypto-asset service providers
1. By way of derogation from Article 36, with respect to cross-border correspondent relationships involving the execution of crypto-asset services, with a respondent entity not established in the Union and providing similar services, including transfers of crypto-assets, crypto-asset service providers shall, in addition to the customer due diligence measures laid down in Article 20, when entering into a business relationship, be required to:
| (a) | determine if the respondent entity is licensed or registered; |
| (b) | gather sufficient information about the respondent entity to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the entity and the quality of supervision; |
| (c) | assess the respondent entity’s AML/CFT controls; |
| (d) | obtain approval from senior management before establishing the new correspondent relationship; |
| (e) | document the respective responsibilities of each party to the correspondent relationship; |
| (f) | with respect to payable-through crypto-asset accounts, be satisfied that the respondent entity has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent entity, and that it is able to provide relevant customer due diligence data to the correspondent entity, upon request. |
Where crypto-asset service providers decide to terminate correspondent relationships for reasons relating to AML/CFT policy, they shall document their decision.
Crypto-asset service providers shall update the due diligence information for the correspondent relationship on a regular basis or when new risks emerge in relation to the respondent entity.
2. Crypto-asset service providers shall take into account the information collected pursuant to paragraph 1 in order to determine, on a risk sensitive basis, the appropriate measures to be taken to mitigate the risks associated with the respondent entity.
3. By 10 July 2027, AMLA shall issue guidelines to specify the criteria and elements that crypto-asset service providers shall take into account for conducting the assessment referred to in paragraph 1 and the risk mitigating measures referred to in paragraph 2, including the minimum action to be taken by crypto-asset service providers upon identification that the respondent entity is not registered or licensed.
Article 38
Specific measures for individual third-country respondent institutions
1. Credit institutions and financial institutions shall apply the measures laid down in paragraph 6 of this Article in relation to third-country respondent institutions with which they have a correspondent relationship pursuant to Articles 36 or 37 and in respect of which AMLA issues a recommendation pursuant to paragraph 2 of this Article.
2. AMLA shall issue a recommendation addressed to credit institutions and financial institutions where there are concerns that respondent institutions in third countries fall into any of the following situations:
| (a) | they are in serious, repeated or systematic breach of AML/CFT requirements; |
| (b) | they have weaknesses in their internal policies, procedures and controls that are likely to result in serious, repeated or systematic breaches of AML/CFT requirements; |
| (c) | they have in place internal policies, procedures and controls that are not commensurate with the risks of money laundering, its predicate offences and terrorist financing to which the third-country respondent institution is exposed. |
3. The recommendation referred to in paragraph 2 shall be issued where all of the following conditions are met:
| (a) | on the basis of the information available in the context of its supervisory activities, a financial supervisor, including AMLA when performing its supervisory activities, deems that a third-country respondent institution falls into any of the situations listed in paragraph 2 and may affect the risk exposure of the correspondent relationship; |
| (b) | following an assessment of the information available to the financial supervisor referred to in point (a) of this paragraph, there is an agreement among financial supervisors in the Union that the third-country respondent institution falls into any of the situations listed in paragraph 2 and may affect the risk exposure of the correspondent relationship. |
4. Prior to issuing the recommendation referred to in paragraph 2, AMLA shall consult the third-country supervisor in charge of the respondent institution and request that it provides its own as well as the respondent institution’s views on the adequacy of AML/CFT policies, procedures and controls as well as of the customer due diligence measures the respondent institution has in place to mitigate risks of money laundering, its predicate offences and terrorist financing and remedial measures to be put in place. Where no reply is provided within 2 months or where the reply provided does not indicate that the third-country respondent institution can implement satisfactory AML/CFT policies, procedures and controls as well as apply adequate customer due diligence measures to mitigate the risks to which it is exposed that may affect the correspondent relationship, AMLA shall proceed with the recommendation.
5. AMLA shall withdraw the recommendation referred to in paragraph 2 as soon as it considers that a third-country respondent institution on which it adopted that recommendation no longer fulfils the conditions laid down in paragraph 3.
6. In relation to third-country respondent institutions referred to in paragraph 1, credit institutions and financial institutions shall:
| (a) | abstain from entering into new business relationships with the third-country respondent institution unless they conclude, on the basis of the information collected under Article 36 or 37, that the mitigating measures applied to the business relationship with the third-country respondent institution and the measures in place in the third-country respondent institution can adequately mitigate the money laundering and terrorist financing risks associated with that business relationship; |
| (b) | for ongoing business relationships with the third-country respondent institution:
|
| (c) | inform the respondent institution of the conclusions they have drawn in relation to the risks posed by the correspondent relationship following the recommendation by AMLA and the measures taken pursuant to points (a) or (b). |
Where AMLA has withdrawn a recommendation pursuant to paragraph 5, credit institutions and financial institutions shall review their assessment as to whether the third-country respondent institutions fulfil any of the conditions laid down in paragraph 3.
7. Credit institutions and financial institutions shall document any decision taken pursuant to this Article.
Article 39
Prohibition of correspondent relationships with shell institutions
1. Credit institutions and financial institutions shall not enter into, or continue, a correspondent relationship with a shell institution. Credit institutions and financial institutions shall take appropriate measures to ensure that they do not engage in or continue correspondent relationships with a credit institution or financial institution that is known to allow its accounts to be used by a shell institution.
2. In addition to the requirement laid down in paragraph 1, crypto-asset service providers shall ensure that their accounts are not used by shell institutions to provide crypto-asset services. To that end, crypto-asset service providers shall have in place internal policies, procedures and controls to detect any attempt to use their accounts for the provision of unregulated crypto-asset services.
Article 40
Measures to mitigate risks in relation to transactions with a self-hosted address
1. Crypto-asset service providers shall identify and assess the risk of money laundering and financing of terrorism associated with transfers of crypto-assets directed to or originating from a self-hosted address. To that end, crypto-asset service providers shall have in place internal policies, procedures and controls.
Crypto-asset service providers shall apply mitigating measures commensurate with the risks identified. Those mitigating measures shall include one or more of the following:
| (a) | taking risk-based measures to identify, and verify the identity of, the originator or beneficiary of a transfer made from or to a self-hosted address or beneficial owner of such originator or beneficiary, including through reliance on third parties; |
| (b) | requiring additional information on the origin and destination of the crypto-assets; |
| (c) | conducting enhanced ongoing monitoring of transactions with a self-hosted address; |
| (d) | any other measure to mitigate and manage the risks of money laundering and financing of terrorism as well as the risk of non-implementation and evasion of targeted financial sanctions. |
2. By 10 July 2027, AMLA shall issue guidelines to specify the mitigating measures referred to in paragraph 1, including:
| (a) | the criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made from or to a self-hosted address, including through reliance on third parties, taking into account the latest technological developments; |
| (b) | criteria and means for the verification of whether or not the self-hosted address is owned or controlled by a customer. |
Article 41
Specific provisions regarding applicants for residence by investment schemes
In addition to the customer due diligence measures laid down in Article 20, with respect to customers who are third-country nationals who are in the process of applying for residence rights in a Member State in exchange for any kind of investment, including transfers, purchase or renting of property, investment in government bonds, investment in corporate entities, donation or endowment of an activity contributing to the public good and contributions to the state budget, obliged entities shall, as a minimum, apply enhanced due diligence measures set out in Article 34(4), points (a), (c), (e) and (f).
Article 42
Specific provisions regarding politically exposed persons
1. In addition to the customer due diligence measures laid down in Article 20, obliged entities shall apply the following measures with respect to occasional transactions or business relationships with politically exposed persons:
| (a) | obtain senior management approval for carrying out occasional transactions or for establishing or continuing business relationships with politically exposed persons; |
| (b) | take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or occasional transactions with politically exposed persons; |
| (c) | conduct enhanced, ongoing monitoring of those business relationships. |
2. By 10 July 2027, AMLA shall issue guidelines on the following matters:
| (a) | the criteria for the identification of persons known to be close associates; |
| (b) | the level of risk associated with a particular category of politically exposed person, family member or person known to be a close associate, including guidance on how such risks are to be assessed where the person is no longer entrusted with a prominent public function for the purposes of Article 45. |
Article 43
List of prominent public functions
1. Each Member State shall issue and keep up-to-date a list indicating the exact functions which, in accordance with its national laws, regulations and administrative provisions, qualify as prominent public functions for the purposes of Article 2(1), point (34). Member States shall request each international organisation accredited on their territories to issue and keep up-to-date a list of prominent public functions at that international organisation for the purposes of Article 2(1), point (34). Those lists shall also include any function which may be entrusted to representatives of third countries and of international bodies accredited at Member State level. Member States shall notify those lists, as well as any change made to them, to the Commission and to AMLA.
2. The Commission may set out, by means of an implementing act, the format for the establishment and communication of the Member States’ lists of prominent public functions pursuant to paragraph 1. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 86(2).
3. The Commission is empowered to adopt delegated acts in accordance with Article 85 to supplement Article 2(1), point (34), where the lists notified by Member States pursuant to paragraph 1 identify common additional categories of prominent public functions and those categories of prominent public functions are of relevance for the Union as a whole.
When drawing up delegated acts pursuant to the first subparagraph, the Commission shall consult AMLA.
4. The Commission shall draw up and keep up-to-date the list of the exact functions which qualify as prominent public functions at the level of the Union. That list shall also include any function which may be entrusted to representatives of third countries and of international bodies accredited at Union level.
5. The Commission shall assemble, based on the lists provided for in paragraphs 1 and 4 of this Article, a single list of all prominent public functions for the purposes of Article 2(1), point (34). The Commission shall publish that single list in the Official Journal of the European Union. AMLA shall make that list publicly available on its website.
Article 44
Politically exposed persons who are beneficiaries of insurance policies
Obliged entities shall take reasonable measures to determine whether the beneficiaries of a life or other investment-related insurance policy or, where relevant, the beneficial owner of the beneficiary are politically exposed persons. Those measures shall be taken no later than at the time of the payout or at the time of the assignment, in whole or in part, of the policy. Where there are higher risks identified, in addition to applying the customer due diligence measures laid down in Article 20, obliged entities shall:
| (a) | inform senior management before payout of policy proceeds; |
| (b) | conduct enhanced scrutiny of the entire business relationship with the policyholder. |
Article 45
Measures for persons who cease to be politically exposed persons
1. Where a politically exposed person is no longer entrusted with a prominent public function by the Union, a Member State, third country or an international organisation, obliged entities shall take into account the continuing risk posed by that person, as a result of his or her former function, in their assessment of money laundering and terrorist financing risks in accordance with Article 20.
2. Obliged entities shall apply one or more of the measures referred to in Article 34(4) to mitigate the risks posed by the politically exposed person until such time as the risks referred to in paragraph 1 of this Article no longer exist, but in any case for not less than 12 months following the time when the individual ceased to be entrusted with a prominent public function.
3. The obligation referred to in paragraph 2 shall apply accordingly where an obliged entity carries out an occasional transaction or enters into a business relationship with a person who in the past was entrusted with a prominent public function by the Union, a Member State, third country or an international organisation.
Article 46
Family members and persons known to be close associates of politically exposed persons
The measures referred to in Articles 42, 44 and 45 shall also apply to family members or persons known to be close associates of politically exposed persons.
SECTION 5
Specific customer due diligence provisions
Article 47
Specifications for the life and other investment-related insurance sector
For life or other investment-related insurance business, in addition to the customer due diligence measures required for the customer and the beneficial owner, obliged entities shall apply the following customer due diligence measures on the beneficiaries of life insurance and other investment-related insurance policies, as soon as the beneficiaries are identified or designated:
| (a) | in the case of beneficiaries that are identified as specifically named persons or legal arrangements, recording the name of the person or arrangement; |
| (b) | in the case of beneficiaries that are designated by characteristics or by class or by other means, obtaining sufficient information concerning those beneficiaries so that it will be able to establish the identity of the beneficiary at the time of the payout. |
For the purposes of the first subparagraph, the verification of the identity of the beneficiaries and, where relevant, their beneficial owners shall take place at the time of the payout. In the case of assignment, in whole or in part, of the life or other investment-related insurance to a third party, obliged entities aware of the assignment shall identify the beneficial owner at the time of the assignment to the natural or legal person or legal arrangement receiving for its own benefit the value of the policy assigned.
SECTION 6
Reliance on customer due diligence performed by other obliged entities
Article 48
General provisions relating to reliance on other obliged entities
1. Obliged entities may rely on other obliged entities, whether located in a Member State or in a third country, to meet the customer due diligence requirements laid down in Article 20(1), points (a), (b) and (c), provided that:
| (a) | the other obliged entities apply customer due diligence requirements and record-keeping requirements laid down in this Regulation, or equivalent when the other obliged entities reside or are established in a third country; |
| (b) | compliance with AML/CFT requirements by the other obliged entities is supervised in a manner consistent with Chapter IV of Directive (EU) 2024/1640. |
The ultimate responsibility for meeting the customer due diligence requirements shall remain with the obliged entity which relies on another obliged entity.
2. When deciding to rely on other obliged entities located in third countries, obliged entities shall take into consideration the geographical risk factors listed in Annexes II and III and any relevant information or guidance provided by the Commission, or by AMLA or other competent authorities.
3. In the case of obliged entities that are part of a group, compliance with the requirements of this Article and of Article 49 may be ensured through group-wide policies, procedures and controls provided that all the following conditions are met:
| (a) | the obliged entity relies on information provided solely by an obliged entity that is part of the same group; |
| (b) | the group applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countries; |
| (c) | the effective implementation of the requirements referred to in point (b) of this paragraph is supervised at group level by the supervisory authority of the home Member State in accordance with Chapter IV of Directive (EU) 2024/1640 or of the third country in accordance with the rules of that third country. |
4. Obliged entities shall not rely on obliged entities established in third countries identified pursuant to Section 2 of this Chapter. However, obliged entities established in the Union whose branches and subsidiaries are established in those third countries may rely on those branches and subsidiaries, where all the conditions laid down in paragraph 3, are met.
Article 49
Process of reliance on another obliged entity
1. Obliged entities shall obtain from the obliged entity relied upon all the necessary information concerning the customer due diligence measures laid down in Article 20(1), points (a), (b) and (c), or the business being introduced.
2. Obliged entities which rely on other obliged entities shall take all necessary steps to ensure that the obliged entity relied upon provides, upon request:
| (a) | copies of the information collected to identify the customer; |
| (b) | all supporting documents or trustworthy sources of information that were used to verify the identity of the client, and, where relevant, of the customer’s beneficial owners or persons on whose behalf the customer acts, including data obtained through electronic identification means and relevant trust services as set out in Regulation (EU) No 910/2014; and |
| (c) | any information collected on the purpose and intended nature of the business relationship. |
3. The information referred to in paragraphs 1 and 2 shall be provided by the obliged entity relied upon without delay and in any case within 5 working days.
4. The conditions for the transmission of the information and documents mentioned in paragraphs 1 and 2 shall be specified in a written agreement between the obliged entities.
5. Where the obliged entity relies on an obliged entity that is part of its group, the written agreement may be replaced by an internal procedure established at group level, provided that the conditions laid down in Article 48(3) are met.
Article 50
Guidelines on reliance on other obliged entities
By 10 July 2027, AMLA shall issue guidelines addressed to obliged entities on:
| (a) | the conditions which are acceptable for obliged entities to rely on information collected by another obliged entity, including in the case of remote customer due diligence; |
| (b) | the roles and responsibility of the obliged entities involved in a situation of a reliance on another obliged entity; |
| (c) | supervisory approaches to reliance on other obliged entities. |
CHAPTER IV
BENEFICIAL OWNERSHIP TRANSPARENCY
Article 51
Identification of beneficial owners for legal entities
Beneficial owners of legal entities shall be the natural persons who:
| (a) | have, directly or indirectly, an ownership interest in the corporate entity; or |
| (b) | control, directly or indirectly, the corporate or other legal entity, through ownership interest or via other means. |
Control via other means as referred to in the first paragraph, point (b), shall be identified independently of and in parallel to the existence of an ownership interest or control through ownership interest.
Article 52
Beneficial ownership through ownership interest
1. For the purpose of Article 51, first paragraph, point (a), ‘an ownership interest in the corporate entity’ shall mean direct or indirect ownership of 25 % or more of the shares or voting rights or other ownership interest in the corporate entity, including rights to a share of profits, other internal resources or liquidation balance. The indirect ownership shall be calculated by multiplying the shares or voting rights or other ownership interests held by the intermediate entities in the chain of entities in which the beneficial owner holds shares or voting rights and by adding together the results from those various chains, unless Article 54 applies.
For the purposes of assessing whether an ownership interest exists in the corporate entity, all shareholdings on every level of ownership shall be taken into account.
2. Where Member States identify pursuant to Article 8(4), point (c), of Directive (EU) 2024/1640 categories of corporate entities that are exposed to higher money laundering and terrorist financing risks, including based on the sectors in which they operate, they shall inform the Commission thereof. By 10 July 2029, the Commission shall assess whether the risks associated with those categories of legal entities are relevant for the internal market and, where it concludes that a lower threshold is appropriate to mitigate those risks, adopt delegated acts in accordance with Article 85 to amend this Regulation by identifying:
| (a) | the categories of corporate entities that are associated with higher money laundering and terrorist financing risks and for which a lower threshold shall apply; |
| (b) | the related thresholds. |
The lower threshold referred to in the first subparagraph shall be set at a maximum of 15 % of ownership interest in the corporate entity, unless the Commission concludes, on the basis of risk, that a higher threshold would be more proportionate, which shall in any case be set at less than 25 %.
3. The Commission shall review the delegated act referred to in paragraph 2 on a regular basis to ensure that it identifies the relevant categories of corporate entities that are associated with higher risks, and that the related thresholds are commensurate with those risks.
4. In the case of legal entities other than corporate entities, for which, having regard to their form and structure, it is not appropriate or possible to calculate ownership, the beneficial owners shall be the natural persons who control via other means, directly or indirectly, the legal entity, pursuant to Article 53(3) and (4), except where Article 57 applies.
Article 53
Beneficial ownership through control
1. Control over a corporate or other legal entity shall be exercised through ownership interest or via other means.
2. For the purposes of this Chapter, the following definitions apply:
| (a) | ‘control of the legal entity’ means the possibility to exercise, directly or indirectly, significant influence and impose relevant decisions within the legal entity; |
| (b) | ‘indirect control of a legal entity’ means control of intermediate legal entities in the ownership structure or in various chains of the ownership structure, where the direct control is identified on each level of the structure; |
| (c) | ‘control through ownership interest of the corporate entity’ means direct or indirect ownership of 50 % plus one of the shares or voting rights or other ownership interest in the corporate entity. |
3. Control of the legal entity via other means shall in any case include the possibility to exercise:
| (a) | in the case of a corporate entity, the majority of the voting rights in the corporate entity, whether or not shared by persons acting in concert; |
| (b) | the right to appoint or remove a majority of the members of the board or the administrative, management or supervisory body or similar officers of the legal entity; |
| (c) | relevant veto rights or decision rights attached to the share of the corporate entity; |
| (d) | decisions regarding distribution of profit of the legal entity or leading to a shift in assets in the legal entity. |
4. In addition to paragraph 3, control of the legal entity may be exercised via other means. Depending on the particular situation of the legal entity and its structure, other means of control may include:
| (a) | formal or informal agreements with owners, members or the legal entities, provisions in the articles of association, partnership agreements, syndication agreements, or equivalent documents or agreements depending on the specific characteristics of the legal entity, as well as voting arrangements; |
| (b) | relationships between family members; |
| (c) | use of formal or informal nominee arrangements. |
For the purpose of this paragraph, ‘formal nominee arrangement’ means a contract or an equivalent arrangement, between a nominator and a nominee, where the nominator is a legal entity or natural person that issues instructions to a nominee to act on their behalf in a certain capacity, including as a director or shareholder or settlor, and the nominee is a legal entity or natural person instructed by the nominator to act on their behalf.
Article 54
Coexistence of ownership interest and control in the ownership structure
Where corporate entities are owned through a multi-layered ownership structure, and in one or more chains of that structure the ownership interest and the control coexist in relation to different layers of the chain, the beneficial owners shall be:
| (a) | the natural persons who control, directly or indirectly, through ownership interest or via other means, legal entities that have a direct ownership interest in the corporate entity, whether individually or cumulatively; |
| (b) | the natural persons who, whether individually or cumulatively, directly or indirectly, have an ownership interest in the corporate entity that controls, through ownership interest or via other means, the corporate entity, directly or indirectly. |
Article 55
Ownership structures involving legal arrangements or similar legal entities
Where legal entities referred to in Article 57 or legal arrangements have an ownership interest in the corporate entity, whether individually or cumulatively, or control, directly or indirectly, the corporate entity, through ownership interest or via other means, the beneficial owners shall be the natural persons who are the beneficial owners of the legal entities referred to in Article 57 or of the legal arrangements.
Article 56
Notifications
Each Member State shall notify to the Commission by 10 October 2027 a list of the types of legal entities existing under its national law with beneficial owners identified in accordance with Article 51 and Article 52(4). That notification shall include the specific categories of entities, description of characteristics and, where applicable, legal basis under the national law of the Member State concerned. It shall also include an indication of whether, due to the specific form and structures of legal entities other than corporate entities, the mechanism under Article 63(4) applies, accompanied by a detailed justification of the reasons for that.
The Commission shall communicate the notification referred to in the first paragraph to other Member States.
Article 57
Identification of beneficial owners for legal entities similar to express trust
1. In the case of legal entities other than those referred to in Article 51, similar to express trust, such as foundations, the beneficial owners shall be all the following natural persons:
| (a) | the founders; |
| (b) | the members of the management body in its management function; |
| (c) | the members of the management body in its supervisory function; |
| (d) | the beneficiaries, unless Article 59 applies; |
| (e) | any other natural person, who controls directly or indirectly the legal entity. |
2. In cases where legal entities referred to in paragraph 1 belong to multi-layered control structures, where any of the positions listed in paragraph 1 is held by a legal entity, beneficial owners of the legal entity referred to in paragraph 1 shall be:
| (a) | the natural persons listed in paragraph 1; and |
| (b) | the beneficial owners of the legal entities that occupy any of the positions listed in paragraph 1. |
3. Member States shall notify to the Commission by 10 October 2027 a list of types of legal entities, of which the beneficial owners are identified in accordance with paragraph 1.
The notification referred to in the first subparagraph shall be accompanied by a description of:
| (a) | the form and basic features of those legal entities; |
| (b) | the process through which they can be set up; |
| (c) | the process for accessing basic information and beneficial ownership information on those legal entities; |
| (d) | the websites at which the central registers containing information on beneficial owners of those legal entities can be consulted and contact details of the entities in charge of those registers. |
4. The Commission may adopt, by means of an implementing act, a list of types of legal entities governed by the law of Member States which should be subject to the requirements of this Article. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 86(2).
Article 58
Identification of beneficial owners for express trusts and similar legal arrangements
1. The beneficial owners of express trusts shall be all the following natural persons:
| (a) | the settlors; |
| (b) | the trustees; |
| (c) | the protectors, if any; |
| (d) | the beneficiaries, unless Article 59 or 60 applies; |
| (e) | any other natural persons exercising ultimate control over the express trust by means of direct or indirect ownership or by other means, including through a chain of control or ownership. |
2. The beneficial owners of other legal arrangements similar to express trusts shall be the natural persons holding equivalent or similar positions to those referred to in paragraph 1.
3. Where legal arrangements belong to multi-layered control structures and where any of the positions listed in paragraph 1 is held by a legal entity, the beneficial owners of the legal arrangement shall be:
| (a) | the natural persons listed in paragraph 1; and |
| (b) | the beneficial owners of the legal entities that occupy any of the positions listed in paragraph 1. |
4. Member States shall notify to the Commission by 10 October 2027 a list of types of legal arrangements similar to express trusts which are governed under their law.
The notification shall be accompanied by a description of:
| (a) | the form and basic features of those legal arrangements; |
| (b) | the process through which those legal arrangements can be set up; |
| (c) | the process for accessing basic information and beneficial ownership information on those legal arrangements; |
| (d) | the websites at which the central registers containing information on beneficial owners of those legal arrangements can be consulted and the contact details of the entities in charge of those registers. |
The notification shall also be accompanied by a justification detailing the reasons why the Member State considers the notified legal arrangements to be similar to express trusts and why it concluded that other legal arrangements governed under its law are not similar to express trusts.
5. The Commission may adopt, by means of an implementing act, a list of types of legal arrangements governed under the law of Member States which should be subject to the same beneficial ownership transparency requirements as express trusts, accompanied by the information referred to in paragraph 4, second subparagraph of this Article. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 86(2).
Article 59
Identification of a class of beneficiaries
1. In the case of legal entities similar to express trusts under Article 57 or, with the exception of discretionary trusts, express trusts and similar legal arrangements under Article 58, where beneficiaries have yet to be determined, the class of beneficiaries and its general characteristics shall be identified. Beneficiaries within the class shall be beneficial owners as soon as they are identified or designated.
2. In the following cases, only the class of beneficiaries and its characteristics shall be identified:
| (a) | pension schemes within the scope of Directive (EU) 2016/2341; |
| (b) | employee financial ownership or participation schemes, provided that Member States, following an appropriate risk assessment, have concluded a low risk of misuse for money laundering or terrorist financing; |
| (c) | legal entities similar to express trusts under Article 57, express trusts and similar legal arrangements under Article 58, provided that:
|
3. Member State shall notify to the Commission the categories of legal entities, express trusts or similar legal arrangements under paragraph 2, together with a justification based on the specific risk assessment. The Commission shall communicate that notification to the other Member States.
Article 60
Identification of objects of a power and default takers in discretionary trusts
In the case of discretionary trusts, where beneficiaries have yet to be selected, the objects of a power and default takers shall be identified. Beneficiaries among the objects of a power shall be beneficial owners as soon as they are selected. Default takers shall be beneficial owners when the trustees fail to exercise their discretion.
Where discretionary trusts meet the conditions laid down in Article 59(2), only the class of objects of a power and default takers shall be identified. Those categories of discretionary trusts shall be notified to the Commission in accordance with paragraph 3 of that Article.
Article 61
Identification of beneficial owners of collective investment undertakings
By way of derogation from Article 51, first paragraph and Article 58(1), the beneficial owners of collective investment undertakings shall be the natural persons who fulfil one or more of the following conditions:
| (a) | they hold directly or indirectly 25 % or more of the units held in the collective investment undertaking; |
| (b) | they have the ability to define or influence the investment policy of the collective investment undertaking; |
| (c) | they control the activities of the collective investment undertaking through other means. |
Article 62
Beneficial ownership information
1. Legal entities and trustees of express trusts or persons holding equivalent positions in similar legal arrangements shall ensure that the beneficial ownership information which they hold, provide to obliged entities in the context of customer due diligence procedures in accordance with Chapter III or submit to central registers is adequate, accurate, and up-to-date.
The beneficial ownership information referred to in the first subparagraph shall include the following:
| (a) | all names and surnames, place and full date of birth, residential address, country of residence and nationality or nationalities of the beneficial owner, number of identity document, such as passport or national identity document, and, where it exists, unique personal identification number assigned to the person by his or her country of usual residence, and general description of the source of such number; |
| (b) | the nature and extent of the beneficial interest held in the legal entity or legal arrangement, whether through ownership interest or control via other means, as well as the date as of which the beneficial interest is held; |
| (c) | information on the legal entity of which the natural person is the beneficial owner in accordance with Article 22(1), point (b), or, in the case of legal arrangements of which the natural person is the beneficial owner, basic information on the legal arrangement; |
| (d) | where the ownership and control structure contains more than one legal entity or legal arrangement, a description of such structure, including names and, where it exists, identification numbers of the individual legal entities or legal arrangements that are part of that structure, and a description of the relationships between them, including the share of the interest held; |
| (e) | where a class of beneficiaries is identified under Article 59, general description of the characteristic of the class of beneficiaries; |
| (f) | where objects of a power and default takers are identified under Article 60:
|
2. Legal entities and trustees of express trusts or persons holding an equivalent position in a similar legal arrangement shall obtain adequate, accurate, and up-to-date beneficial ownership information within 28 calendar days of the creation of the legal entity or the setting up of the legal arrangement. That information shall be updated promptly, and, in any case, within 28 calendar days of any change thereto, as well as on an annual basis.
Article 63
Obligations of legal entities
1. All legal entities created in the Union shall obtain and hold adequate, accurate and up-to-date beneficial ownership information.
Legal entities shall provide, in addition to information about their legal owners, information on the beneficial owners to obliged entities where the obliged entities are applying customer due diligence measures in accordance with Chapter III.
2. A legal entity shall report beneficial ownership information to the central register without undue delay after its creation. Any change to that information shall be reported to the central register without undue delay and, in any case, within 28 calendar days thereof. The legal entity shall regularly verify that it holds up-to-date information on its beneficial ownership. As a minimum, such verification shall be performed annually whether as a self-standing process or as part of other periodical processes, such as the submission of financial statement.
The beneficial owners of a legal entity as well as the legal entities and, in the case of legal arrangements, their trustees or persons holding an equivalent position, which are part of the ownership or control structure of a legal entity, shall provide that legal entity with all the information necessary for the legal entity to comply with the requirements of this Chapter or to respond to any request for additional information received pursuant to Article 10(4) of Directive (EU) 2024/1640.
3. Where, having exhausted all possible means of identification pursuant to Articles 51 to 57, no person is identified as beneficial owner, or where there is substantial and justified uncertainty on the part of the legal entity that the persons identified are the beneficial owners, legal entities shall keep records of the actions taken in order to identify their beneficial owners.
4. In the cases referred to in paragraph 3 of this Article, when providing beneficial ownership information in accordance with Article 20 of this Regulation and Article 10 of Directive (EU) 2024/1640, legal entities shall provide the following:
| (a) | a statement that there is no beneficial owner or that the beneficial owners could not be determined, accompanied by a justification as to why it was not possible to determine the beneficial owner in accordance with Articles 51 to 57 of this Regulation and what constitutes uncertainty about the ascertained information; |
| (b) | the details of all natural persons who hold the position of senior managing officials in the legal entity equivalent to the information required under Article 62(1), second subparagraph, point (a) of this Regulation. |
For the purpose of this paragraph, ‘senior managing officials’ means the natural persons who are the executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible, and accountable to the management body, for the day-to-day management of the entity.
5. Legal entities shall make the information collected pursuant to this Article available, upon request and without delay, to competent authorities.
6. The information referred to in paragraph 4 shall be maintained for 5 years after the date on which the legal entities are dissolved or otherwise cease to exist, whether by persons designated by the entity to retain the documents, or by administrators or liquidators or other persons involved in the dissolution of the entity. The identity and contact details of the person responsible for retaining the information shall be reported to the central registers.
Article 64
Trustee obligations
1. In the case of any legal arrangement administered in a Member State or whose trustee or the person holding an equivalent position in a similar legal arrangement resides or is established in a Member State, trustees and persons holding an equivalent position in a similar legal arrangement shall obtain and hold the following information regarding the legal arrangement:
| (a) | basic information on the legal arrangement; |
| (b) | adequate, accurate and up-to-date beneficial ownership information as provided under Article 62; |
| (c) | where legal entities or legal arrangements are parties to the legal arrangement, basic information and beneficial ownership information on those legal entities and legal arrangements; |
| (d) | information on any agent authorised to act on behalf of the legal arrangement or to take any action in relation to it, and on the obliged entities with which the trustee or person holding an equivalent position in a similar legal arrangement enter into a business relationship on behalf of the legal arrangement. |
The information referred to in the first subparagraph shall be maintained for 5 years after the involvement of the trustee or the person holding an equivalent position with the express trust or similar legal arrangement ceases to exist.
2. The trustee or the person holding an equivalent position in a similar legal arrangement shall obtain and report to the central register beneficial ownership information and basic information on the legal arrangement without undue delay after the setting up of the express trust or similar legal arrangement and, in any case, within 28 calendar days thereof. The trustee or the person holding an equivalent position in a similar legal arrangement shall ensure that any change of beneficial ownership or of the basic information on the legal arrangement is reported to the central register without undue delay, and in any case, within 28 calendar days thereof.
The trustee or the person holding an equivalent position in a similar legal arrangement shall regularly verify that the information they hold over the legal arrangement pursuant to paragraph 1, first subparagraph, is updated. Such verification shall be performed at least annually, whether as a self-standing process or as part of other periodical processes.
3. The trustees or the persons holding an equivalent position in a similar legal arrangement referred to in paragraph 1 shall disclose their status and provide the information on the beneficial owners and on the assets of the legal arrangements that are to be managed in the context of a business relationship or occasional transaction to obliged entities when the obliged entities are applying customer due diligence measures in accordance with Chapter III.
4. The beneficial owners of a legal arrangement other than the trustees or persons holding an equivalent position, its agents and the obliged entities servicing the legal arrangement, as well as any person and, in the case of legal arrangements, their trustees, who are part of the multi-layered control structure of the legal arrangement, shall provide the trustees or persons holding an equivalent position in a similar legal arrangement with all the information and documentation necessary for the trustees or persons holding an equivalent position to comply with the requirements of this Chapter.
5. Trustees of an express trust and persons holding an equivalent position in a similar legal arrangement shall make the information collected pursuant to this Article available, upon request and without delay, to competent authorities.
6. In the case of legal arrangements whose parties are legal entities, where, after having exhausted all possible means of identification pursuant to Articles 51 to 57, no person is identified as beneficial owner of those legal entities, or where there is substantial and justified uncertainty that the persons identified are the beneficial owners, trustees of express trusts or persons in an equivalent position in similar legal arrangements shall keep records of the actions taken in order to identify their beneficial owners.
7. In the cases referred to in paragraph 6 of this Article, when providing beneficial ownership information in accordance with Article 20 of this Regulation and Article 10 of Directive (EU) 2024/1640, trustees of express trusts or persons in an equivalent position in similar legal arrangements shall provide the following:
| (a) | a statement that there is no beneficial owner or that the beneficial owners could not be determined, accompanied by a justification as to why it was not possible to determine the beneficial owner in accordance with Article 51 to 57 of this Regulation and what constitutes uncertainty about the ascertained information; |
| (b) | the details of all natural persons who hold the position of senior managing officials in the legal entity that is party to the legal arrangement equivalent to the information required under Article 62(1), second subparagraph, point (a), of this Regulation. |
Article 65
Exceptions to obligations of legal entities and legal arrangements
Articles 63 and 64 shall not apply to:
| (a) | companies whose securities are admitted to trading on a regulated market, provided that:
|
| (b) | bodies governed by public law as defined in Article 2(1), point (4), of Directive 2014/24/EU of the European Parliament and of the Council (43). |
Article 66
Nominee obligations
Nominee shareholders and nominee directors of a legal entity shall maintain adequate, accurate and up-to-date information on the identity of their nominator and the nominator’s beneficial owners and disclose them, as well as their status, to the legal entity. Legal entities shall report that information to the central register.
Legal entities shall also report the information referred to in the first paragraph to obliged entities when the obliged entities are applying customer due diligence measures in accordance with Chapter III.
Article 67
Foreign legal entities and foreign legal arrangements
1. Legal entities created outside the Union and trustees of express trusts or persons holding an equivalent position in a similar legal arrangement that are administered outside the Union or that reside or are established outside the Union shall submit beneficial ownership information pursuant to Article 62 to the central register of the Member State where they:
| (a) | enter into a business relationship with an obliged entity; |
| (b) | acquire real estate in the Union, whether directly or through intermediaries; |
| (c) | acquire, whether directly or through intermediaries, any of the following goods from persons trading as referred to in Article 3, points (3) (f) and (j), in the context of an occasional transaction:
|
| (d) | are awarded a public contract for goods or services, or concessions by a contracting authority in the Union. |
2. By way of derogation from paragraph 1, point (a), where legal entities created outside the Union enter into a business relationship with an obliged entity, they shall only submit their beneficial ownership information to the central register where:
| (a) | they enter into a business relationship with an obliged entity that is associated with medium-high or high money laundering and terrorist financing risks pursuant to the risk assessment at Union level or the national risk assessment of the Member State concerned referred to in Articles 7 and 8 of Directive (EU) 2024/1640; or |
| (b) | the risk assessment at Union level or the national risk assessment of the Member State concerned identifies that the category of legal entity or the sector in which the legal entity created outside the Union operates is associated, where relevant, with medium-high or high money laundering and terrorist financing risks. |
3. The beneficial ownership information shall be accompanied by a statement setting out in relation to which of those activities the information is submitted, as well as any relevant document, and shall be submitted:
| (a) | for the cases referred to in paragraph 1, point (a), prior to start of the business relationship; |
| (b) | for the cases referred to in paragraph 1, points (b) and (c), before completion of the purchase; |
| (c) | for the cases referred to in paragraph 1, point (d), before signature of the contract. |
4. For the purposes of paragraph 1, point (a), obliged entities shall inform the legal entities where the conditions laid down in paragraph 2 are met and require a certificate of proof of registration or an excerpt of the beneficial ownership information held in the central register to proceed with the business relationship or occasional transaction.
5. In the cases covered by paragraph 1, legal entities created outside the Union and trustees of express trusts or persons holding an equivalent position in a similar legal arrangement that are administered outside the Union or that reside or are established outside the Union shall report any change to the beneficial ownership information submitted to the central register pursuant to paragraph 1 without undue delay, and in any case, within 28 calendar days thereof.
The first subparagraph shall apply:
| (a) | for the cases referred to in paragraph 1, point (a), for the entire duration of the business relationship with the obliged entity; |
| (b) | for the cases referred to in paragraph 1, point (b), for as long as the legal entity or legal arrangement owns the real estate; |
| (c) | for the cases referred to in paragraph 1, point (c), for the period between the initial submission of the information to the central register and the completion of the purchase; |
| (d) | for the cases referred to in paragraph 1, point (d), for the entire duration of the contract. |
6. Where the legal entity, the trustee of the express trust or the person holding an equivalent position in a similar legal arrangement meets the conditions laid down in paragraph 1 in different Member States, a certificate of proof of registration of the beneficial ownership information in a central register held by one Member State shall be considered as sufficient proof of registration.
7. Where, on 10 July 2027, legal entities created outside the Union or legal arrangements administered outside the Union or whose trustee or person holding an equivalent position in a similar legal arrangement resides or is established outside the Union own, whether directly or through intermediaries, real estate, the beneficial ownership information of those legal entities and legal arrangements shall be submitted to the central register and accompanied by a justification for that submission by 10 January 2028.
However, the first subparagraph shall not apply to legal entities or legal arrangements that have acquired real estate in the Union prior to 1 January 2014.
Member States may decide, on the basis of risk, that an earlier date applies and notify the Commission thereof. The Commission shall communicate such decisions to the other Member States.
8. Member States may, on the basis of risk, extend the obligation set out in paragraph 1, point (a), to business relationships with foreign legal entities that are ongoing on 10 July 2027 and notify the Commission thereof. The Commission shall communicate such decisions to the other Member States.
Article 68
Penalties
1. Member States shall lay down rules on the penalties applicable to breaches of the provisions of this Chapter and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.
Member States shall by 10 January 2025 notify the Commission of those rules on penalties together with their legal basis and shall notify it, without delay, of any subsequent amendment affecting them.
2. By 10 July 2026, the Commission shall adopt delegated acts in accordance with Article 85 to supplement this Regulation by defining:
| (a) | the categories of breaches that are subject to penalties and the persons liable for such breaches; |
| (b) | indicators to classify the level of gravity of breaches that are subject to penalties; |
| (c) | the criteria to be taken into account when setting the level of penalties. |
The Commission shall regularly review the delegated act referred to in the first subparagraph to ensure that it identifies the relevant categories of breaches and that the related penalties are effective, dissuasive and proportionate.
CHAPTER V
REPORTING OBLIGATIONS
Article 69
Reporting of suspicions
1. Obliged entities, and, where applicable, their directors and employees, shall cooperate fully with the FIU by promptly:
| (a) | reporting to the FIU, on their own initiative, where the obliged entity knows, suspects or has reasonable grounds to suspect that funds or activities, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing or criminal activity and by responding to requests by the FIU for additional information in such cases; |
| (b) | providing the FIU, at its request, with all necessary information, including information on transaction records, within the deadlines imposed. |
All suspicious transactions, including attempted transactions and suspicions arising from the inability to conduct customer due diligence shall be reported in accordance with the first subparagraph.
For the purposes of the first subparagraph, obliged entities shall reply to requests for information by the FIU within 5 working days. In justified and urgent cases, FIUs may shorten that deadline, including to less than 24 hours.
By way of derogation from the third subparagraph, the FIU may extend the deadline for a response beyond the 5 working days where it considers it justified and provided that the extension does not undermine the FIU’s analysis.
2. For the purposes of paragraph 1, obliged entities shall assess transactions or activities carried out by their customers on the basis of and against any relevant fact and information known to them or which they are in possession of. Where necessary, obliged entities shall prioritise their assessment taking into consideration the urgency of the transaction or activity and the risks affecting the Member State in which they are established.
A suspicion pursuant to paragraph 1, point (a), shall be based on the characteristics of the customer and their counterparts, the size and nature of the transaction or activity or the methods and patterns thereof, the link between several transactions or activities, the origin, destination or use of funds, or any other circumstance known to the obliged entity, including the consistency of the transaction or activity with the information obtained pursuant to Chapter III including the risk profile of the client.
3. By 10 July 2026, AMLA shall develop draft implementing technical standards and submit them to the Commission for adoption. Those draft implementing technical standards shall specify the format to be used for the reporting of suspicions pursuant to paragraph 1, point (a), and for the provision of transaction records pursuant to paragraph 1, point (b).
4. Power is conferred on the Commission to adopt the implementing technical standards referred to in paragraph 3 of this Article in accordance with Article 53 of Regulation (EU) 2024/1620.
5. By 10 July 2027, AMLA shall issue guidelines on indicators of suspicious activity or behaviours. Those guidelines shall be periodically updated.
6. The compliance officer appointed in accordance with Article 11(2) shall transmit the information referred to in paragraph 1 of this Article to the FIU of the Member State in whose territory the obliged entity transmitting the information is established.
7. Obliged entities shall ensure that the compliance officer appointed in accordance with Article 11(2), as well as any employee or person in a comparable position, including agents and distributors, involved in the performance of the tasks covered by this Article are protected against retaliation, discrimination and any other unfair treatment for carrying out those tasks.
This paragraph shall not affect the protection that the persons referred to in the first subparagraph may be entitled to under Directive (EU) 2019/1937.
8. Where the activities of a partnership for information sharing result in the knowledge, suspicion or reasonable grounds to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, obliged entities which identified suspicions in relation to the activities of their customers may designate one among them which shall be tasked with the submission of a report to the FIU pursuant to paragraph 1, point (a). Such submission shall include at least the name and contact details of all the obliged entities that participated in the activities giving rise to the report.
Where the obliged entities referred to in the first subparagraph are established in several Member States, the information shall be reported to each relevant FIU. To that end, obliged entities shall ensure that the report is submitted by an obliged entity within the territory of the Member States where the FIU is located.
Where the obliged entities decide not to avail themselves of the possibility to submit a single report with the FIU pursuant to the first subparagraph, they shall include a reference in their reports to the fact that the suspicion is the result of the activities of a partnership for information sharing.
9. The obliged entities referred to in paragraph 8 of this Article shall retain a copy of any reports submitted pursuant to that paragraph in accordance with Article 77.
Article 70
Specific provisions for reporting of suspicions by certain categories of obliged entities
1. By way of derogation from Article 69(1), Member States may allow obliged entities referred to in Article 3, point (3)(a) and (b), to transmit the information referred to in Article 69(1) to a self-regulatory body designated by the Member State.
The designated self-regulatory body shall forward the information referred to in the first subparagraph to the FIU promptly and unfiltered.
2. Notaries, lawyers, other independent legal professionals, auditors, external accountants and tax advisors shall be exempted from the requirements laid down in Article 69(1) to the extent that such exemption relates to information that they receive from, or obtain on a client, in the course of ascertaining the legal position of that client, or performing their task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, regardless of whether such information is received or obtained before, during or after such proceedings.
The exemption set out in the first subparagraph shall not apply when the obliged entities referred to therein:
| (a) | take part in money laundering, its predicate offences or terrorist financing; |
| (b) | provide legal advice for the purposes of money laundering, its predicate offences or terrorist financing; or |
| (c) | know that the client is seeking legal advice for the purposes of money laundering, its predicate offences or terrorist financing; knowledge or purpose may be inferred from objective factual circumstances. |
3. In addition to the situations referred to in paragraph 2, second subparagraph, where justified on the basis of the higher risks of money laundering, its predicate offences or terrorist financing associated with certain types of transactions, Member States may decide that the exemption referred to in paragraph 2, first subparagraph, does not apply to those types of transactions and, as appropriate, impose additional reporting obligations on the obliged entities referred to in that paragraph. Member States shall notify the Commission of any decision taken pursuant to this paragraph. The Commission shall communicate such decisions to the other Member States.
Article 71
Refraining from carrying out transactions
1. Obliged entities shall refrain from carrying out transactions which they know or suspect to be related to proceeds of criminal activity or to terrorist financing until they have submitted a report in accordance with Article 69(1), first subparagraph, point (a), and have complied with any further specific instructions from the FIU or other competent authority in accordance with the applicable law. Obliged entities may carry out the transaction concerned after having assessed the risks of proceeding with the transaction if they have not received instructions to the contrary from the FIU within 3 working days of submitting the report.
2. Where it is not possible for an obliged entity to refrain from carrying out a transaction as referred to in paragraph 1or where refraining would be likely to frustrate efforts to pursue the beneficiaries of a suspected transaction, the obliged entity shall inform the FIU immediately after carrying out the transaction.
Article 72
Disclosure to FIU
Disclosure of information to the FIU in good faith by an obliged entity or by an employee or director of such an obliged entity in accordance with Articles 69 and 70 shall not constitute a breach of any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and shall not involve the obliged entity or its directors or employees in liability of any kind even in circumstances where they were not precisely aware of the underlying criminal activity and regardless of whether illegal activity actually occurred.
Article 73
Prohibition of disclosure
1. Obliged entities and their directors, employees, or persons in comparable positions, including agents and distributors, shall not disclose to the customer concerned or to other third persons the fact that transactions or activities are being or have been assessed in accordance with Article 69, that information is being, will be or has been transmitted in accordance with Article 69 or 70 or that a money laundering or terrorist financing analysis is being, or may be, carried out.
2. Paragraph 1 shall not apply to disclosures to competent authorities and to self-regulatory bodies where they perform supervisory functions, or to disclosure for the purposes of investigating and prosecuting money laundering, terrorist financing and other criminal activity.
3. By way of derogation from paragraph 1 of this Article, disclosure may take place between obliged entities that belong to the same group, or between such entities and their branches and subsidiaries established in third countries, provided that those branches and subsidiaries fully comply with the group-wide policies and procedures, including procedures for sharing information within the group, in accordance with Article 16, and that the group-wide policies and procedures comply with the requirements set out in this Regulation.
4. By way of derogation from paragraph 1 of this Article, disclosure may take place between obliged entities as referred to in Article 3, point (3)(a) and (b), or entities from third countries which impose requirements equivalent to those laid down in this Regulation, who perform their professional activities, whether as employees or not, within the same legal person or a larger structure to which the person belongs and which shares common ownership, management or compliance control, including networks or partnerships.
5. For obliged entities referred to in Article 3, points (1), (2), (3)(a) and (b), in cases relating to the same transaction involving two or more obliged entities, and by way of derogation from paragraph 1 of this Article, disclosure may take place between the relevant obliged entities provided that they are located in the Union, or with entities in a third country which imposes requirements equivalent to those laid down in this Regulation, and that they are subject to professional secrecy and personal data protection requirements.
6. Where the obliged entities referred to in Article 3, point (3)(a) and (b), seek to dissuade a client from engaging in illegal activity, that shall not constitute disclosure within the meaning of paragraph 1 of this Article.
Article 74
Threshold-based reports of transactions in certain high-value goods
1. Persons trading in high-value goods shall report to the FIU all transactions involving the sale of the following high-value goods when those goods are acquired for non-commercial purposes:
| (a) | motor vehicles for a price of at least EUR 250 000 or the equivalent in national currency; |
| (b) | watercraft for a price of at least EUR 7 500 000 or the equivalent in national currency; |
| (c) | aircraft for a price of at least EUR 7 500 000 or the equivalent in national currency. |
2. Credit institutions and financial institutions that provide services in relation to the purchase or transfer of ownership of the goods referred to in paragraph 1 shall also report to the FIU all transactions they carry out for their customers in relation to those goods.
3. Reporting pursuant to paragraphs 1 and 2 shall be carried out within the deadlines imposed by the FIU.
CHAPTER VI
INFORMATION SHARING
Article 75
Exchange of information in the framework of partnerships for information sharing
1. Members of partnerships for information sharing may share information among each other where strictly necessary for the purposes of complying with the obligations under Chapter III and Article 69 and in accordance with fundamental rights and judicial procedural safeguards.
2. Obliged entities intending to participate in a partnership for information sharing shall notify their respective supervisory authorities which shall, where relevant in consultation with each other and with the authorities in charge of verifying compliance with Regulation (EU) 2016/679, verify that the partnership for information sharing has mechanisms in place to ensure compliance with this Article and that the data protection impact assessment referred to in paragraph 4, point (h), has been carried out. The verification shall take place prior to the beginning of the activities of the partnership for information sharing. Where relevant, the supervisory authorities shall also consult the FIUs.
Responsibility for compliance with requirements under Union or national law shall remain with the participants in the partnership for information sharing.
3. Information exchanged in the framework of a partnership for information sharing shall be limited to:
| (a) | information on the customer, including any information obtained in the course of identifying and verifying the identity of the customer and, where relevant, the beneficial owner of the customer; |
| (b) | information on the purpose and intended nature of the business relationship or occasional transaction between the customer and the obliged entity, as well as, where applicable, the source of wealth and source of funds of the customer; |
| (c) | information on customer transactions; |
| (d) | information on higher and lower risk factors associated with the customer; |
| (e) | the obliged entity’s analysis of the risks associated with the customer pursuant to Article 20(2); |
| (f) | information held by the obliged entity pursuant to Article 77(1); |
| (g) | information on suspicions pursuant to Article 69. |
The information referred to in the first subparagraph shall only be exchanged to the extent that it is necessary for the purposes of carrying out the activities of the partnership for information sharing.
4. The following conditions shall apply to the sharing of information within the context of a partnership for information sharing:
| (a) | obliged entities shall record all instances of information sharing within the partnership; |
| (b) | obliged entities shall not rely solely on the information received in the context of the partnership to comply with the requirements of this Regulation; |
| (c) | obliged entities shall not draw conclusions or take decisions that have an impact on the business relationship with the customer or on the performance of occasional transactions for the customer on the basis of information received from other participants in the partnership for information sharing without having assessed that information; any information received in the context of the partnership that is used in an assessment resulting in a decision to refuse or terminate a business relationship or to carry out an occasional transaction shall be included in the records kept pursuant to Article 21(3), and that record shall contain reference to the fact that the information originated from a partnership for information sharing; |
| (d) | obliged entities shall carry out their own assessment of transactions involving customers in order to assess which ones may be related to money laundering or terrorist financing or involve proceeds of criminal activity; |
| (e) | obliged entities shall implement appropriate technical and organisational measures, including measures to allows pseudonymisation, to ensure a level of security and confidentiality proportionate to the nature and extent of the information exchanged; |
| (f) | the sharing of information shall be carried out only in relation to customers:
|
| (g) | information generated through the use of artificial intelligence, machine learning technologies or algorithms may only be shared where those processes were subject to adequate human oversight; |
| (h) | a data protection impact assessment referred to in Article 35 of Regulation (EU) 2016/679 shall be carried out prior to the processing of any personal data; |
| (i) | the competent authorities that are members of a partnership for information sharing shall only obtain, provide and exchange information to the extent that this is necessary for the performance of their tasks under relevant Union or national law; |
| (j) | where competent authorities referred to in Article 2(1), point (44)(c), of this Regulation participate in a partnership for information sharing, they shall only obtain, provide or exchange personal data and operational information in accordance with national law transposing Directive (EU) 2016/680 of the European Parliament and of the Council (44) and with the applicable provisions of national criminal procedural law, including prior judicial authorisation or any other national procedural safeguard as required; |
| (k) | the exchange of information on suspicious transactions pursuant to paragraph 3, point (g), of this Article shall only take place where the FIU to which the suspicious transaction report was submitted pursuant to Articles 69 or 70 has agreed with such disclosure. |
5. Information received in the context of a partnership for information sharing shall not be further transmitted, except where:
| (a) | the information is provided to another obliged entity pursuant to Article 49(1); |
| (b) | the information is to be included in a report submitted to the FIU or provided in response to a FIU request pursuant to Article 69(1); |
| (c) | the information is provided to AMLA pursuant to Article 93 of Regulation (EU) 2024/1620; |
| (d) | the information is requested by law enforcement or judicial authorities, subject to any prior authorisations or other procedural guarantees as required under the national law. |
6. Obliged entities that participate in partnerships for information sharing shall define policies and procedures for the sharing of information in their internal policies and procedures established pursuant to Article 9. Such policies and procedures shall:
| (a) | specify the assessment to be carried out to determine the extent of information to be shared, and where relevant for the nature of the information or the applicable judicial safeguards, provide for differentiated or limited access to information for members of the partnership; |
| (b) | describe the roles and responsibilities of the parties to the partnership for information-sharing; |
| (c) | identify the risk assessments that the obliged entity will take into account to determine situations of higher risk in which information can be shared. |
The internal policies and procedures referred to in the first subparagraph shall be drawn up prior to the participation in a partnership for information sharing.
7. Where supervisory authorities deem it necessary, obliged entities participating in a partnership for information sharing shall commission an independent audit of the functioning of that partnership and shall share the results with the supervisory authorities.
CHAPTER VII
DATA PROTECTION AND RECORD RETENTION
Article 76
Processing of personal data
1. To the extent that it is strictly necessary for the purposes of preventing money laundering and terrorist financing, obliged entities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to the safeguards provided for in paragraphs 2 and 3 of this Article.
2. Obliged entities shall be able to process personal data covered by Article 9 of Regulation (EU) 2016/679 provided that:
| (a) | they inform their customers or prospective customers that such categories of data may be processed for the purpose of complying with the requirements of this Regulation; |
| (b) | the data originate from reliable sources, are accurate and up-to-date; |
| (c) | they do not take decisions that would lead to biased and discriminatory outcomes on the basis of those data; |
| (d) | they adopt measures of a high level of security in accordance with Article 32 of Regulation (EU) 2016/679, in particular in terms of confidentiality. |
3. Obliged entities shall be able to process personal data covered by Article 10 of Regulation (EU) 2016/679 provided that they comply with the conditions laid down in paragraph 2 of this Article and that:
| (a) | such personal data relate to money laundering, its predicate offences or terrorist financing; |
| (b) | the obliged entities have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence. |
4. Personal data shall be processed by obliged entities on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.
5. Obliged entities may adopt decisions resulting from automated processes, including profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679, or from processes involving AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/xxx of the European Parliament and of the Council (45), provided that:
| (a) | the data processed by such systems is limited to data obtained pursuant to Chapter III of this Regulation; |
| (b) | any decision to enter or refuse to enter into or maintain a business relationship with a customer or to carry out or refuse to carry out an occasional transaction for a customer, or to increase or decrease the extent of the customer due diligence measures applied pursuant to Article 20 of this Regulation, is subject to meaningful human intervention to ensure the accuracy and appropriateness of such a decision; and |
| (c) | the customer may obtain an explanation of the decision reached by the obliged entity, and may challenge that decision, except in relation to a report as referred to in Article 69 of this Regulation. |
Article 77
Record retention
1. Obliged entities shall retain the following documents and information:
| (a) | a copy of the documents and information obtained in the performance of customer due diligence pursuant to Chapter III, including information obtained through electronic identification means; |
| (b) | a record of the assessment undertaken pursuant to Article 69(2), including the information and circumstances considered and the results of such assessment, whether or not such assessment results in a suspicious transaction report being made to the FIU, and a copy of the suspicion transaction report, if any; |
| (c) | the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions; |
| (d) | when they participate in partnerships for information sharing pursuant to Chapter VI, copies of the documents and information obtained in the framework of those partnerships, and records of all instances of information sharing. |
Obliged entities shall ensure that documents, information and records kept pursuant to this Article are not redacted.
2. By way of derogation from paragraph 1, obliged entities may decide to replace the retention of copies of the information by a retention of the references to such information, provided that the nature and method of retention of such information ensure that the obliged entities can provide immediately to competent authorities the information and that the information cannot be modified or altered.
Obliged entities making use of the derogation referred to in the first subparagraph shall define in their internal procedures drawn up pursuant to Article 9, the categories of information for which they will retain a reference instead of a copy or original, as well as the procedures for retrieving the information so that it can be provided to competent authorities upon request.
3. The information referred to in paragraphs 1 and 2 shall be retained for a period of 5 years commencing on the date of the termination of the business relationship or on the date of the carrying out of the occasional transaction, or on the date of refusal to enter into a business relationship or carry out an occasional transaction. Without prejudice to retention periods for data collected for the purposes of other Union legal acts or national law complying with Regulation (EU) 2016/679, obliged entities shall delete personal data upon expiry of the five-year period.
Competent authorities may require further retention of the information referred to in the first subparagraph on a case-by-case basis, provided that such retention is necessary for the prevention, detection, investigation or prosecution of money laundering or terrorist financing. That further retention period shall not exceed 5 years.
4. Where, on 10 July 2027, legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and an obliged entity holds information or documents relating to those pending proceedings, the obliged entity may retain that information or those documents for a period of 5 years from 10 July 2027.
Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of 5 years where the necessity and proportionality of such further retention have been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.
Article 78
Provision of records to competent authorities
Obliged entities shall have systems in place that enable them to respond fully and speedily to enquiries from their FIU or from other competent authorities, in accordance with national law, as to whether they are maintaining or have maintained, during a five-year period prior to that enquiry a business relationship with specified persons, and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.
CHAPTER VIII
MEASURES TO MITIGATE RISKS DERIVING FROM ANONYMOUS INSTRUMENTS
Article 79
Anonymous accounts and bearer shares and bearer share warrants
1. Credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous bank and payment accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset accounts as well as any account otherwise allowing for the anonymisation of the customer account holder or the anonymisation or increased obfuscation of transactions, including through anonymity-enhancing coins.
Owners and beneficiaries of existing anonymous bank or payment accounts, anonymous passbooks, anonymous safe-deposit boxes held by credit institutions or financial institutions, or crypto-asset accounts shall be subject to customer due diligence measures before those accounts, passbooks, or deposit boxes are used in any way.
2. Credit institutions and financial institutions acting as acquirers within the meaning of Article 2, point (1), of Regulation (EU) 2015/751 of the European Parliament and of the Council (46) shall not accept payments carried out with anonymous prepaid cards issued in third countries, unless otherwise provided for in the regulatory technical standards adopted by the Commission in accordance with Article 28 of this Regulation on the basis of a proven low risk.
3. Companies shall be prohibited from issuing bearer shares, and shall convert all existing bearer shares into registered shares, shall immobilise them within the meaning of Article 2(1), point (3), of Regulation (EU) No 909/2014, or deposit them with a financial institution by 10 July 2029. However, companies with securities listed on a regulated market or whose shares are issued as intermediated securities either through immobilisation within the meaning of Article 2(1), point (3), of that Regulation or through a direct issuance in dematerialised form within the meaning of Article 2(1), point (4), of that Regulation shall be permitted to issue new and maintain existing bearer shares. For existing bearer shares that are not converted, immobilised or deposited by 10 July 2029, all voting rights and rights to distribution attached to those shares shall be automatically suspended until their conversion, immobilisation or deposit. All such shares not converted, immobilised or deposited by 10 July 2030 shall be cancelled, leading to a share capital decrease of the corresponding amount.
Companies shall be prohibited from issuing bearer share warrants that are not in intermediated form.
Article 80
Limits to large cash payments in exchange for goods or services
1. Persons trading in goods or providing services may accept or make a payment in cash only up to an amount of EUR 10 000 or the equivalent in national or foreign currency, whether the transaction is carried out in a single operation or in several operations which appear to be linked.
2. Member States may adopt lower limits following consultation of the European Central Bank in accordance with Article 2(1) of Council Decision 98/415/EC (47). Those lower limits shall be notified to the Commission within 3 months of the measure being introduced at national level.
3. When limits already exist at national level which are below the limit set out in paragraph 1, they shall continue to apply. Member States shall notify those limits to the Commission by 10 October 2024.
4. The limit referred to in paragraph 1 shall not apply to:
| (a) | payments between natural persons who are not acting in a professional capacity; |
| (b) | payments or deposits made at the premises of credit institutions, electronic money issuers as defined in Article 2, point (3), of Directive 2009/110/EC and payment service providers as defined in Article 4, point (11), of Directive (EU) 2015/2366. |
Payments or deposits referred to in the first subparagraph, point (b) above the limit shall be reported to the FIU within the deadlines imposed by the FIU.
5. Member States shall ensure that appropriate measures, including the imposition of penalties, are taken against natural or legal persons acting in their professional capacity which are suspected of a breach of the limit set out in paragraph 1, or of a lower limit adopted by the Member States.
6. The overall level of the penalties shall be calculated, in accordance with the relevant provisions of national law, in such way as to produce results proportionate to the seriousness of the infringement, thereby effectively discouraging further offences of the same kind.
7. Where, by reason of force majeure, means of payment by funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 other than banknotes and coins become unavailable at national level, Member States may temporarily suspend the application of paragraph 1 or, where applicable, of paragraph 2 of this Article and shall inform the Commission thereof without delay. Member States shall also inform the Commission of the expected duration of the unavailability of means of payment by funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 other than banknotes and coins and of the measures taken by Member States to reinstate their availability.
Where, on the basis of the information communicated by the Member State, the Commission considers that the suspension of the application of paragraph 1 or, where applicable, of paragraph 2 is not justified by a case of force majeure, it shall adopt a decision addressed to that Member State requesting the immediate lifting of such suspension.
CHAPTER IX
FINAL PROVISIONS
SECTION 1
Cooperation between FIUs and the EPPO
Article 81
Cooperation between FIUs and the EPPO
1. Pursuant to Article 24 of Regulation (EU) 2017/1939, each FIU shall without undue delay report to the EPPO the results of its analyses and any additional relevant information where there are reasonable grounds to suspect that money laundering and other criminal activity are being or have been committed in respect of which the EPPO could exercise its competence in accordance with Article 22 and Article 25(2) and (3) of that Regulation.
By 10 July 2026, AMLA shall, in consultation with the EPPO, develop draft implementing technical standards and submit them to the Commission for adoption. Those draft implementing technical standards shall specify the format to be used by FIUs for reporting information to the EPPO.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the second subparagraph of this paragraph in accordance with Article 53 of Regulation (EU) 2024/1620.
2. FIUs shall respond in a timely manner to requests for information by the EPPO in relation to money laundering and other criminal activity as referred to in paragraph 1.
3. FIUs and the EPPO may exchange the results of strategic analyses, including typologies and risk indicators, where such analyses relate to money laundering and other criminal activity as referred to in paragraph 1.
Article 82
Requests for information to the EPPO
1. The EPPO shall respond without undue delay to reasoned requests for information by an FIU where that information is necessary for the performance of the FIU’s functions under Chapter III of Directive (EU) 2024/1640.
2. The EPPO may postpone or refuse the provision of the information referred to in paragraph 1 where providing it would be likely to prejudice the proper conduct and confidentiality of an ongoing investigation. The EPPO shall communicate in a timely manner the postponement of or refusal to provide the requested information, including the reasons therefor, to the requesting FIU.
SECTION 2
Cooperation between FIUs and OLAF
Article 83
Cooperation between FIUs and OLAF
1. Pursuant to Article 8(3) of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (48), each FIU shall transmit without delay the results of its analyses and any additional relevant information to OLAF where there are reasonable grounds to suspect that fraud, corruption or any other illegal activity affecting the Union’s financial interests are being or have been committed in respect of which OLAF could exercise its competence in accordance with Article 8 of that Regulation.
2. FIUs shall respond in a timely manner to requests for information by OLAF in relation to fraud, corruption or any other illegal activity as referred to in paragraph 1.
3. FIUs and OLAF may exchange the results of strategic analyses, including typologies and risk indicators, where such analyses relate to fraud, corruption or any other illegal activity as referred to in paragraph 1.
Article 84
Requests for information to OLAF
1. OLAF shall respond in a timely manner to reasoned requests for information by an FIU where that information is necessary for the performance of the FIU’s functions under Chapter III of Directive (EU) 2024/1640.
2. OLAF may postpone or refuse the provision of the information referred to in paragraph 1 where providing it would be likely to have a negative impact on an ongoing investigation. OLAF shall communicate such postponement or refusal to the requesting FIU in a timely manner, including the reasons therefor.
SECTION 3
Other provisions
Article 85
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Articles 29, 30, 31, 34, 43, 52 and 68 shall be conferred on the Commission for an indeterminate period of time from 9 July 2024.
3. The delegation of power referred to in Articles 29, 30, 31, 34, 43, 52 and 68 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 29, 30, 31 or 34 shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 1 month of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 1 month at the initiative of the European Parliament or of the Council.
7. A delegated act adopted pursuant to Article 43, 52 or 68 shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.
Article 86
Committee procedure
1. The Commission shall be assisted by the Committee on the Prevention of Money Laundering and Terrorist Financing established by Article 34 of Regulation (EU) 2023/1113. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 87
Review
By 10 July 2032, and every 3 years thereafter, the Commission shall review the application of this Regulation and submit a report to the European Parliament and to the Council.
The first review shall include an assessment of:
| (a) | the national systems for reporting of suspicions pursuant to Article 69 and obstacles and opportunities to establish a single reporting system at Union level; |
| (b) | the adequacy of the beneficial ownership transparency framework to mitigate risks associated with legal entities and legal arrangements. |
Article 88
Reports
By 10 July 2030, the Commission shall submit reports to the European Parliament and to the Council assessing the necessity and proportionality of:
| (a) | lowering the 25 % threshold for the identification of beneficial ownership of legal entities through ownership interest; |
| (b) | extending the scope of high-value goods to include high-value garments and accessories; |
| (c) | extending the scope of the threshold-based disclosures under Article 74 to cover the sale of other goods, of introducing harmonised formats for the reporting of those transactions based on the usefulness of those reports for FIUs, and of extending the scope of information collected from persons trading in free-trade zones; |
| (d) | adjusting the limit for large cash payments. |
Article 89
Relation to Directive (EU) 2015/849
References to Directive (EU) 2015/849 shall be construed as references to this Regulation and to Directive (EU) 2024/1640 and read in accordance with the correlation table set out in Annex VI to this Regulation.
Article 90
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 10 July 2027, except in relation to obliged entities referred to in Article 3, points (3)(n) and (o), to which it shall apply from 10 July 2029.
This Regulation shall be binding in its entirety and directly applicable in all Member States.