New Group-wide Requirements under Art. 16 AMLR

New Group-wide Requirements under Art. 16 AMLR

Why group-wide AML compliance is being fundamentally redefined?

With the entry into force of Regulation (EU) 2024/1624 (AMLR), group-wide AML/CFT compliance is no longer treated as a technical extension of local obligations. Article 16 AMLR establishes a stand-alone, Level-1 legal framework for AML governance at group level, directly binding parent undertakings and reshaping supervisory expectations across the EU.

While group-wide AML requirements are not new, Article 16 AMLR marks a qualitative shift: what was previously regulated through delegated and technical standards, most notably Regulation (EU) 2019/758, is now embedded directly in EU primary AML law, with expanded scope, clearer governance duties, and future AMLA-driven harmonisation.

The Past: Regulation (EU) 2019/758

Regulation (EU) 2019/758 was adopted to supplement Article 45 AMLD IV/V and addressed a very specific problem:
What must a group do if third-country law prevents the implementation of group-wide AML policies?

Its logic was narrowly focused but operationally strict:

  • application limited to credit institutions and financial institutions,
  • triggered only where legal obstacles (e.g. data protection, banking secrecy) existed in third countries,
  • prescriptive escalation logic:
    • risk assessment and supervisory notification,
    • attempt to overcome barriers (e.g. customer consent),
    • mandatory additional measures (product restrictions, enhanced audits, enhanced monitoring),
    • and ultimately mandatory exit if risks could not be controlled.

Regulation 2019/758 therefore functioned as a technical containment mechanism for group-wide AML failures caused by foreign legal regimes.

From technical mitigation to structural obligation

Article 16 AMLR fundamentally changes the perspective. Group-wide AML compliance is no longer an exception-driven topic but a core organisational requirement.

Under Article 16 AMLR, the parent undertaking must ensure that:

  • internal policies, procedures and controls under Articles 9–15 AMLR apply to:
    • all branches and subsidiaries in Member States, and
    • for EU-headed groups, also in third countries;
  • a group-wide risk assessment is performed, explicitly consolidating:
    • all business-wide risk assessments of branches and subsidiaries;
  • group-wide policies cover, at a minimum:
    • AML/CFT controls,
    • staff awareness and training,
    • data protection, and
    • information sharing within the group.

Unlike Regulation 2019/758, Article 16 AMLR applies universally to all obliged entities, not only to credit and financial institutions, and irrespective of whether legal obstacles already exist.

Mandatory group compliance functions

One of the most significant innovations of Article 16 AMLR lies in paragraph 2.

For the first time, EU AML law explicitly requires:

  • a compliance function at group level,
  • a designated group compliance manager,
  • and, where justified, a group compliance officer.

The parent undertaking must document:

  • the extent of the group compliance function, and
  • the rationale for its design.

The group compliance manager must:

  • report regularly to the management body in its management function,
  • submit at least annual implementation reports,
  • and ensure timely remediation of deficiencies.

This governance layer did not exist under Regulation 2019/758, which assumed group-level control structures but did not legally mandate them. Article 16 AMLR therefore closes a long-standing supervisory gap between formal accountability and actual group oversight.

Information sharing: from restriction management to obligation

Regulation 2019/758 treated information sharing primarily as a problem to be mitigated where third-country law restricted data flows. Article 16 AMLR reverses the logic.

Group-wide policies must now require information sharing where relevant for:

  • customer due diligence,
  • ML/TF risk management,
  • and suspicious activity analysis.

The scope of mandatory information exchange explicitly includes:

  • customer identity and characteristics,
  • beneficial owners and control structures,
  • purpose and nature of business relationships and transactions,
  • suspicions and underlying analyses reported to FIUs (unless the FIU instructs otherwise).

Crucially, Article 16 AMLR also clarifies that non-obliged entities within a group must not be prevented from sharing AML-relevant information with obliged entities. This is a decisive expansion beyond Regulation 2019/758 and directly addresses complex group structures with shared services, holding companies, or operational platforms.

The Future: AMLR + RTS

Article 16(4) AMLR mandates AMLA to develop new Regulatory Technical Standard by 10 July 2026.

The RTS will specify:

  • minimum requirements for group-wide policies, procedures and controls,
  • minimum standards for intra-group information sharing,
  • criteria for identifying the parent undertaking, including in:
    • networks,
    • partnerships,
    • structures with shared ownership, management or compliance control.

In practical terms, these RTS will supersede Regulation 2019/758. However, until their adoption, Regulation 2019/758 remains the only concrete, inspection-tested technical benchmark for supervisors when assessing group-wide AML effectiveness in cross-border structures.

What changes for on-site inspections and audits?

For supervisory authorities, Article 16 AMLR simplifies enforcement:

  • group-wide AML failures are now direct breaches of Level-1 EU law,
  • governance weaknesses can be sanctioned without relying on delegated acts,
  • management bodies can be held accountable for:
    • missing group risk consolidation,
    • ineffective information sharing,
    • insufficient group compliance oversight.

Institutions that struggled to meet the standards of Regulation 2019/758 should expect significantly higher scrutiny under Article 16 AMLR, particularly once AMLA RTS are in force.

Evolution, not replacement

Article 16 AMLR does not discard Regulation 2019/758.

It absorbs and elevates its logic:

  • from a narrow, third-country-specific mitigation regime,
  • to a comprehensive, binding framework for group-wide AML governance.

For obliged entities, the message is clear:
Group-wide AML compliance is no longer a technical afterthought. It is a central, enforceable responsibility of the parent undertaking and its management body.

Institutions that align their group frameworks early with the combined logic of Article 16 AMLR and Regulation 2019/758 will be structurally prepared for the next phase of EU AML supervision.

Leave a Reply

Your email address will not be published. Required fields are marked *