Article 18 AMLR – Outsourcing
1. Obliged entities may outsource tasks resulting from this Regulation to service providers. The obliged entity shall notify the supervisor of the outsourcing before the service provider starts to carry out the outsourced task.
2. When performing tasks under this Article, service providers shall be regarded as part of the obliged entity, including where they are required to consult the central registers referred to in Article 10 of Directive (EU) 2024/1640 (‘central registers’) for the purposes of carrying out customer due diligence on behalf of the obliged entity.
The obliged entity shall remain fully liable for any action, whether an act of commission or omission, connected to the outsourced tasks that are carried out by service providers.
For each outsourced task, the obliged entity shall be able to demonstrate to the supervisor that it understands the rationale behind the activities carried out by the service provider and the approach followed in their implementation, and that such activities mitigate the specific risks to which the obliged entity is exposed.
3. The tasks outsourced pursuant to paragraph 1 of this Article shall not be undertaken in such a way as to impair materially the quality of the obliged entity’s policies and procedures to comply with the requirements of this Regulation and of Regulation (EU) 2023/1113, and of the controls in place to test those policies and procedures. The following tasks shall not be outsourced under any circumstances:
| (a) | the proposal and approval of the obliged entity’s business-wide risk assessment pursuant to Article 10(2); |
| (b) | the approval of the obliged entity’s internal policies, procedures and controls pursuant to Article 9; |
| (c) | decision on the risk profile to be attributed to the customer; |
| (d) | the decision to enter into a business relationship or carry out an occasional transaction with a client; |
| (e) | the reporting to FIU of suspicious activities pursuant to Article 69 or threshold-based reports pursuant to Article 74 and 80, except where such activities are outsourced to another obliged entity belonging to the same group and established in the same Member State; |
| (f) | the approval of the criteria for the detection of suspicious or unusual transactions and activities. |
4. Before an obliged entity outsources a task pursuant to paragraph 1, it shall assure itself that the service provider is sufficiently qualified to carry out the tasks to be outsourced.
Where an obliged entity outsources a task pursuant to paragraph 1, it shall ensure that the service provider, as well as any subsequent sub-outsourcing service provider, applies the policies and procedures adopted by the obliged entity. The conditions for the performance of such tasks shall be laid down in a written agreement between the obliged entity and the service provider. The obliged entity shall perform regular controls to ascertain the effective implementation of such policies and procedures by the service provider. The frequency of such controls shall be determined on the basis of the critical nature of the tasks outsourced.
5. Obliged entities shall ensure that outsourcing is not undertaken in such way as to impair materially the ability of the supervisory authorities to monitor and retrace the obliged entity’s compliance with this Regulation and Regulation (EU) 2023/1113.
6. By way of derogation from paragraph 1, obliged entities shall not outsource tasks deriving from the requirements under this Regulation to service providers residing or established in third countries identified pursuant to Section 2 of Chapter III, unless all of the following conditions are met:
| (a) | the obliged entity outsources tasks solely to a service provider that is part of the same group; |
| (b) | the group applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countries; |
| (c) | the effective implementation of the requirements referred to in point (b) of this paragraph is supervised at group level by the supervisory authority of the home Member State in accordance with Chapter IV of Directive (EU) 2024/1640. |
7. By way of derogation from paragraph 3, where a collective investment undertaking has no legal personality, or has only a board of directors and has delegated the processing of subscriptions and the collection of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 from investors to another entity, it may outsource the task referred to in paragraph 3, points (c), (d) and (e) to one of its service providers.
The outsourcing referred to in the first subparagraph of this paragraph may only take place after the collective investment undertaking has notified its intention to outsource the task to the supervisor pursuant to paragraph 1, and the supervisor has approved such outsourcing taking into consideration:
| (a) | the resources, experience and knowledge of the service provider in relation to the prevention of money laundering and terrorist financing; |
| (b) | the knowledge of the service provider of the type of activities or transactions carried out by the collective investment undertaking. |
8. By 10 July 2027, AMLA shall issue guidelines addressed to obliged entities on:
| (a) | the establishment of outsourcing relationships, including any subsequent outsourcing relationship, in accordance with this Article, their governance and procedures for monitoring the implementation of functions by the service provider and in particular those functions that are to be regarded as critical; |
| (b) | the roles and responsibility of the obliged entity and the service provider within an outsourcing agreement; |
| (c) | supervisory approaches to outsourcing as well as supervisory expectations regarding the outsourcing of critical functions. |