Article 9 AMLR – Scope of internal policies, procedures and controls
1. Obliged entities shall have in place internal policies, procedures and controls in order to ensure compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor and in particular to:
| (a) | mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity; |
| (b) | in addition to the obligation to apply targeted financial sanctions, mitigate and manage the risks of non-implementation and evasion of targeted financial sanctions. |
The policies, procedures and controls referred to in the first subparagraph shall be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and shall cover all the activities of the obliged entity that fall under the scope of this Regulation.
2. The policies, procedures and controls referred to in paragraph 1 shall include:
| (a) | internal policies and procedures, including in particular:(i)the carrying out and updating of the business-wide risk assessment;(ii)the obliged entity’s risk management framework;(iii)customer due diligence to implement Chapter III of this Regulation, including procedures to determine whether the customer, the beneficial owner, or the person on whose behalf or for the benefit of whom a transaction or activity is being conducted, is a politically exposed person or a family member or person known to be a close associate;(iv)reporting of suspicious transactions;(v)outsourcing and reliance on customer due diligence performed by other obliged entities;(vi)record retention and policies in relation to the processing of personal data pursuant to Articles 76 and 77;(vii)the monitoring and management of compliance with such internal policies and procedures in accordance with point (b) of this paragraph, the identification and management of deficiencies and the implementation of remedial actions;(viii)the verification, proportionate to the risks associated with the tasks and functions to be performed, when recruiting and assigning staff to certain tasks and functions and when appointing agents and distributors, that those persons are of good repute;(ix)the internal communication of the obliged entity’s internal policies, procedures and controls, including to its agents, distributors and service providers involved in the implementation of its AML/CFT policies;(x)a policy on the training of employees and, where relevant, agents and distributors with regard to measures in place in the obliged entity to comply with the requirements of this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor; |
| (b) | internal controls and an independent audit function to test the internal policies and procedures referred to in point (a) of this paragraph and the controls in place in the obliged entity; in the absence of an independent audit function, obliged entities may have this test carried out by an external expert. |
The internal policies, procedures and controls set out in the first subparagraph shall be recorded in writing. Internal policies shall be approved by the management body in its management function. Internal procedures and controls shall be approved at least at the level of the compliance manager.
3. The obliged entities shall keep the internal policies, procedures and controls up-to-date, and enhance them where weaknesses are identified.
4. By 10 July 2026, AMLA shall issue guidelines on the elements that obliged entities should take into account, based on the nature of their business, including its risks and complexity, and their size, when deciding on the extent of their internal policies, procedures and controls, in particular as regards the staff allocated to the compliance functions. Those guidelines shall also identify situations where, due to the nature and size of the obliged entity:
| (i) | internal controls are to be organised at the level of the commercial function, of the compliance function and of the audit function; |
| (ii) | the independent audit function can be carried out by an external expert. |