New Updating obligations under Article 26(2) AMLR and Article 23 Draft RTS-CDD

New Updating obligations under Article 26(2) AMLR and Article 23 Draft RTS-CDD

Obligation to Keep Customer Information Up to Date (Article 26(2) AMLR)

Article 26(2) of Regulation (EU) 2024/1624 (AMLR) requires obliged entities, in the context of ongoing monitoring, to ensure that the relevant documents, data or information of the customer are kept up to date.

The period between updates of customer information shall be dependent on the risk posed by the business relationship and shall not in any case exceed:

  • one year for higher risk customers to which measures under Section 4 apply;
  • five years for all other customers.

These periods constitute binding maximum limits and may not be exceeded.

Relationship-Wide Updating (Recital (71))

Recital (71) clarifies the scope of the updating obligation.

Where obliged entities provide more than one product or service within a business relationship, the requirement to update information, data and documents at regular intervals is not intended to target the individual product or service, but the business relationship in its entirety.

Obliged entities are required to assess, across the range of products or services provided:

  • when the relevant circumstances of the customer change; or
  • when other conditions triggering the updating of the customer due diligence are met,

and to proceed to review the customer file in relation to the entirety of the business relationship.

The updating obligation therefore operates at relationship level.

Event-Driven Review and Updating (Article 26(3) AMLR)

In addition to the maximum periods set out in Article 26(2), Article 26(3) AMLR provides that obliged entities shall review and, where relevant, update the customer information where:

  • there is a change in the relevant circumstances of a customer;
  • the obliged entity has a legal obligation in the relevant calendar year to contact the customer in order to review relevant information relating to beneficial owners or to comply with Council Directive 2011/16/EU;
  • they become aware of a relevant fact which pertains to the customer.

Updating is therefore required not only periodically, but also whenever specific triggering events occur.

Customer Identification Data in Low-Risk Situations (Article 23(2) Draft RTS-CDD)

Article 23(2) of the Draft RTS-CDD provides:

“In any case, obliged entities shall update the customer identification data in accordance with Article 26(2), point (b), of Regulation (EU) 2024/1624.”

This confirms that even where simplified due diligence measures are applied in low-risk situations, customer identification data must be updated in accordance with Article 26(2)(b) AMLR.

Accordingly:

  • The five-year maximum period applies in low-risk cases.
  • Simplified due diligence does not suspend the obligation to update customer identification data.

Entry into Force and Risk-Sensitive Alignment of Existing Business Relationships (Article 33 Draft RTS-CDD)

Article 33 of the Draft RTS-CDD provides that the Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Where a customer has entered into a business relationship before the publication date of the Regulation:

  • the documents, data and information relating to those customers shall be brought in line with the requirements of the Draft RTS and of Regulation (EU) 2024/1624;
  • this shall be carried out on a risk-sensitive basis;
  • but in all cases not later than within the periods set out in Article 26(2) AMLR.

Existing customer files must therefore be aligned with the new framework within the applicable one- or five-year maximum periods, depending on the risk posed by the business relationship.

Overall Structure of the New Updating Obligations

The updating obligations under Article 26(2) AMLR and Article 23 Draft RTS-CDD are structured around three elements:

  1. Periodic updating within clearly defined maximum periods (one year / five years).
  2. Review and updating triggered by changes in circumstances or relevant facts.
  3. Risk-sensitive alignment of existing business relationships within the statutory maximum periods.

Key Takeawys

The new updating obligations under Article 26(2) AMLR require obliged entities to ensure that the relevant documents, data or information of the customer are kept up to date on a relationship-wide basis.

Recital (71) confirms that updating applies to the business relationship in its entirety.
Article 23(2) Draft RTS-CDD confirms that, in any case, customer identification data must be updated in accordance with Article 26(2)(b) AMLR, including in low-risk situations.
Article 33 Draft RTS-CDD requires that documents, data and information relating to existing business relationships be brought in line with the new framework on a risk-sensitive basis and, in all cases, within the maximum periods set out in Article 26(2) AMLR.

Customer information updating is therefore time-bound, risk-dependent and relationship-wide under the new EU AML framework.

Sources:

https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng

OJ_L_202401624_EN_TXTDownload

https://www.amla.europa.eu/policy/public-consultations/consultation-draft-rts-customer-due-diligence_en

Consultation Paper Draft RTS under Article 28(1)Download

Leave a Reply

Your email address will not be published. Required fields are marked *