Article 16 AMLR – Group-wide requirements

1.   A parent undertaking shall ensure that the requirements on internal procedures, risk assessment and staff referred to in Section 1 of this Chapter apply in all branches and subsidiaries of the group in the Member States and, for groups whose head office is located in the Union, in third countries. To this end, a parent undertaking shall perform a group-wide risk assessment, taking into account the business-wide risk assessment performed by all branches and subsidiaries of the group, and establish and implement group-wide policies, procedures and controls, including on data protection and on information sharing within the group for AML/CFT purposes and to ensure that employees within the group are aware of the requirements arising from this Regulation. Obliged entities within the group shall implement those group-wide policies, procedures and controls, taking into account their specificities and the risks to which they are exposed.

The group-wide policies, procedures and controls and the group-wide risk assessments referred to in the first subparagraph shall include all the elements listed in Articles 9 and 10, respectively.

For the purposes of the first subparagraph, where a group has establishments in more than one Member State and, for groups whose head office is located in the Union, in third countries, parent undertakings shall take into account the information published by the authorities of all the Member States or third countries where the group’s establishments are located.

2.   Compliance functions shall be established at the level of the group. Those functions shall include a compliance manager at the level of the group and, where justified by the activities carried out at group level, a compliance officer. The decision on the extent of the compliance functions shall be documented.

The compliance manager referred to in the first subparagraph shall regularly report to the management body in its management function of the parent undertaking on the implementation of the group-wide policies, procedures and controls. At a minimum, the compliance manager shall submit once a year a report on the implementation of the obliged entity’s internal policies, procedures and controls and shall take the necessary actions to remedy in a timely manner any deficiencies identified. Where the management body in its management function is a body collectively responsible for its decisions, the compliance manager shall assist and advise it, and shall prepare the decisions necessary for the implementation of this Article.

3.   The policies, procedures and controls pertaining to the sharing of information referred to in paragraph 1 shall require obliged entities within the group to exchange information when such sharing is relevant for the purposes of customer due diligence and money laundering and terrorist financing risk management. The sharing of information within the group shall cover in particular the identity and characteristics of the customer, its beneficial owners or the person on behalf of whom the customer acts, the nature and purpose of the business relationship and of the occasional transactions and the suspicions, accompanied by the underlying analyses, that funds are the proceeds of criminal activity or are related to terrorist financing reported to FIU pursuant to Article 69, unless otherwise instructed by the FIU.

The group-wide policies, procedures and controls shall not prevent entities within a group which are not obliged entities to provide information to obliged entities within the same group where such sharing is relevant for those obliged entities to comply with requirements set out in this Regulation.

Parent undertakings shall put in place group-wide policies, procedures and controls to ensure that the information exchanged pursuant to the first and second subparagraphs is subject to sufficient guarantees in terms of confidentiality, data protection and use of the information, including to prevent its disclosure.

4.   By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify the minimum requirements of group-wide policies, procedures and controls, including minimum standards for information sharing within the group, the criteria for identifying the parent undertaking in the cases covered by Article 2(1), point (42)(b), and the conditions under which the provisions of this Article apply to entities that are part of structures which share common ownership, management or compliance control, including networks or partnerships, as well as the criteria for identifying the parent undertaking in the Union in those cases.

5.   Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 4 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.