New Outsourcing Requirements under Art. 18 AMLR

New Outsourcing Requirements under Art. 18 AMLR

Outsourcing has long been a practical necessity in AML/CFT compliance. Screening engines, onboarding service providers, external KYC utilities and shared service centres are standard across the EU financial sector.

With the entry into force of Regulation (EU) 2024/1624 (AMLR), outsourcing is no longer treated as a neutral operational choice. Article 18 AMLR establishes a binding, directly applicable framework that fundamentally reshapes how obliged entities may outsource AML/CFT tasks — and how supervisors will assess them.

The message of the AMLR is unambiguous: Outsourcing is permitted, but responsibility, risk ownership and decision-making can never be outsourced.

From operational tool to regulated risk factor

Article 18 AMLR is the first EU-level provision that comprehensively regulates AML/CFT outsourcing across all obliged entities. It operationalises the outsourcing doctrine introduced in Recitals (47)–(50) and must be read together with Article 9(2)(a)(v) AMLR, which requires explicit internal policies on outsourcing.

Under AMLR, outsourcing is no longer merely a procurement or vendor-management topic. It is now:

  • a core governance issue,
  • a risk-relevant supervisory input, and
  • a design-critical element of the AML control framework.

Prior notification is mandatory and not optional

Article 18(1) AMLR allows obliged entities to outsource tasks resulting from the Regulation, but only subject to one strict condition:

The supervisor must be notified before the service provider starts performing the outsourced task.

This notification requirement is not symbolic. Outsourcing without prior notification constitutes a direct breach of AMLR, regardless of the quality of the service provider or the effectiveness of the outsourced task.

At the same time, AMLR makes clear that:

  • notification does not mean approval, and
  • supervisors remain free to reassess outsourcing arrangements during inspections or risk profiling.

Service providers are legally treated as part of the obliged entity

One of the most far-reaching changes is found in Article 18(2) AMLR.

When performing outsourced AML/CFT tasks, service providers are legally regarded as part of the obliged entity.

This applies even where the provider:

  • performs customer due diligence on behalf of the institution, or
  • consults central beneficial ownership registers.

The legal consequence is decisive:

  • all acts and omissions of the service provider are fully attributable to the obliged entity, and
  • full liability remains with the obliged entity at all times.

There is no concept of shared or transferred responsibility under AMLR.

AMLR goes beyond formal accountability.

For each outsourced task, the obliged entity must be able to demonstrate to the supervisor that it:

  • understands the rationale behind the provider’s activities,
  • understands the implementation approach, and
  • can show that the outsourced activities mitigate the specific ML/TF risks the entity faces.

This requirement transforms outsourcing governance from contract management into substantive process understanding. Black-box outsourcing models are structurally incompatible with Article 18 AMLR.

What may never be outsourced?

Article 18(3) AMLR introduces a closed list of tasks that may not be outsourced under any circumstances.

These include, in particular:

  • proposal and approval of the business-wide risk assessment,
  • approval of internal AML/CFT policies, procedures and controls,
  • decisions on the customer risk profile,
  • decisions to enter into or continue a business relationship,
  • suspicious activity reporting to the FIU (with a narrow same-group exception),
  • approval of detection criteria for suspicious or unusual transactions.

These prohibitions codify a clear regulatory principle: AML/CFT decision sovereignty must remain inside the obliged entity.

Qualification, contracts and ongoing controls are mandatory

Before outsourcing any AML/CFT task, obliged entities must ensure that the service provider is sufficiently qualified. This is an explicit ex-ante obligation under Article 18(4) AMLR.

In addition:

  • service providers and sub-providers must apply the obliged entity’s own AML policies and procedures,
  • outsourcing conditions must be governed by a written agreement, and
  • the obliged entity must perform regular controls over the provider.

The frequency and depth of these controls must be determined by the critical nature of the outsourced task, reinforcing the risk-based approach.

Outsourcing must never impair supervisory traceability

Under Article 18(5) AMLR, outsourcing arrangements must not materially impair the ability of supervisors to:

  • monitor compliance, or
  • retrace AML/CFT decisions and processes.

If outsourcing results in fragmented audit trails, limited data access or reduced transparency, it is unlawful; even if operationally efficient.

Strong restrictions for high-risk third countries

As a rule, AMLR prohibits outsourcing to service providers located in high-risk third countries.

A narrow exception exists only where:

  • the provider is part of the same group,
  • the group applies AML/CFT rules fully compliant with AMLR or equivalent standards, and
  • group-level compliance is supervised by the home Member State authority.

This exception is cumulative and strictly construed.

AMLA guidelines are coming but Article 18 AMLR already applies

By 10 July 2027, AMLA must issue guidelines on:

  • outsourcing governance,
  • critical functions,
  • roles and responsibilities, and
  • supervisory expectations.

Until then, Article 18 AMLR is directly applicable law. Institutions cannot defer compliance by waiting for AMLA guidance.

What this means in practice

Under AMLR, outsourcing:

  • is allowed as an execution model,
  • is scrutinised as a risk amplifier, and
  • is unacceptable as a governance substitute.

Institutions that rely heavily on outsourcing must expect closer supervisory attention, especially where critical AML/CFT functions are involved.

Article 18 AMLR fundamentally redefines AML/CFT Outsourcing in the EU

It replaces informal practices with a strict, enforceable framework built on:

  • non-delegable responsibility,
  • internal decision sovereignty,
  • demonstrable risk understanding, and
  • full supervisory transparency.

Outsourcing can support AML/CFT compliance but under AMLR, it can never replace it.

Article 18 AMLR

Leave a Reply

Your email address will not be published. Required fields are marked *