Source: OJ L, 2024/1620, 19.6.2024

Current language: EN

Article 11 Central AML/CFT database

    1. The Authority shall establish and keep up to date a central database of information pursuant to this Article.

    2. The Authority shall make the information available to supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor;, non-AML/CFT authoritiesmeans:a competent authority as defined in Article 4(1), point (40), of Regulation (EU) No 575/2013 of the European Parliament and of the Council(27) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).;Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).the European Central Bank (ECB), when it carries out the tasks conferred on it by Regulation (EU) No 1024/2013;a resolution authority designated in accordance with Article 3 of Directive 2014/59/EU;a designated authority as defined in Article 2(1), point (18), of Directive 2014/49/EU;a competent authority as defined in Article 3(1), point (35), of Regulation (EU) 2023/1114., other national authorities and bodies competent for ensuring compliance with Directive 2008/48/EC of the European Parliament and of the Council(28)Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66)., Directive 2009/110/EC of the European Parliament and of the Council(29)Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7)., Directive 2009/138/EC of the European Parliament and of the Council(30)Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1)., Directive 2014/17/EU of the European Parliament and of the Council(31)Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34)., Regulation (EU) No 537/2014 of the European Parliament and of the Council(32)Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC (OJ L 158, 27.5.2014, p. 77)., Directive 2014/56/EU of the European Parliament and of the Council(33)Directive 2014/56/EU of the European Parliament and of the Council of 16 April 2014 amending Directive 2006/43/EC on statutory audits of annual accounts and consolidated accounts (OJ L 158, 27.5.2014, p. 196)., Directive 2014/65/EU of the European Parliament and of the Council(34)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). or Directive (EU) 2015/2366 of the European Parliament and of the Council(35)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35)., and to the European Supervisory Authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor;, namely, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) (collectively, ‘the ESAs’), on a need-to-know and confidential basis, where it is necessary for the fulfilment of their tasks.

    3. The Authority shall also analyse the collected information and may share the results of its analysis on its own initiative with supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor;, where to do so would facilitate their supervisory activities, and, where relevant, with obliged entities.

    1. The supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; shall transmit to the Authority at least the following information, including the data related to individual obliged entities, so that the Authority enters that information into the database:

      1. a list of all supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; and self-regulatory bodiesmeans a body that represents members of a profession and has a role in regulating them, in performing certain supervisory or monitoring functions and in ensuring the enforcement of the rules relating to them; in their Member State entrusted with the supervision of obliged entities, including information about their mandate, tasks and powers and, where applicable, the identification of the leading supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; or coordination mechanism;

      2. statistical information about the categories and the number of supervised obliged entities per category in their Member State and basic informationmeans:in relation to a legal entity:legal form and name of the legal entity;instrument of constitution, and the statutes if they are contained in a separate instrument;address of the registered or official office and, if different, the principal place of business, and the country of creation;a list of legal representatives;where applicable, a list of shareholders or members, including information on the number of shares held by each shareholder and the categories of those shares and the nature of the associated voting rights;where available, the registration number, the European Unique identifier, the tax identification number and the Legal Entity Identifier;in the case of foundations, the assets held by the foundation to pursue its purposes;in relation to a legal arrangement:the name or unique identifier of the legal arrangement;the trust deed or equivalent;the purposes of the legal arrangement, if any;the assets held in the legal arrangement or managed through it;the place of residence of the trustees of the express trust or persons holding equivalent positions in the similar legal arrangement, and, if different, the place from where the express trust or similar legal arrangement is administered; about the risk profile of those entities;

      3. the administrative measures applied and pecuniary sanctions imposed in the course of supervision of individual obliged entities in response to breaches of AML/CFT requirements, accompanied by:

        1. the grounds for applying the administrative measure or imposing the pecuniary sanction, such as the nature of the breach;

        2. related information on the supervisory activities and outcomes which led to the administrative measure being applied or the pecuniary sanction being imposed;

      4. any advice or opinion related to ML/TF risks provided to other authorities in relation to authorisation procedures, withdrawal of authorisation procedures, and ‘fit and proper’ assessments of shareholders or members of the management bodymeans an obliged entity’s body or bodies, which are appointed in accordance with national law, which are empowered to set the obliged entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the obliged entity; where no such body exists, the person who effectively directs the business of the obliged entity; of individual obliged entities;

      5. the outcomes of their assessments of the inherent and residual risk profiles of all credit institutionsmeans:a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country; and financial institutionsmeans:an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338)., including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33) Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1)., insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1).an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34) Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).;Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).a collective investment undertaking, in particular:an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35) Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1).;Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1).a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34). and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37) Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).;Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34).Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;a crypto-asset service provider;a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country; that meet the criteria set out in Article 12(1);

      6. the outcomes and reports of thematic reviews and other horizontal supervisory actions with regard to high-risk areas or activities;

      7. information regarding the supervisory activities they performed over the past calendar year, gathered pursuant to Article 40(5) of Directive (EU) 2024/1640;

      8. statistical information about staffing and other resources of supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; and supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor;.

    2. The information provided pursuant to the first subparagraph shall not include references to specific suspicions reported pursuant to Article 69 of Regulation (EU) 2024/1624.

    3. The Authority shall also enter into the database the information stemming from its activities in the area of direct supervision which corresponds to the categories of information listed in the first subparagraph, as well as the outcomes of the risk assessment process carried out by the Authority pursuant to Article 12.

    1. The Authority may request supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; to provide other information in addition to that referred to in paragraph 2. The supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; shall update any provided information as soon as the update is necessary or at the Authority’s request.

    1. The Authority shall enter into the database any data or information relevant for the purposes of AML/CFT supervisory activities which is provided by non-AML/CFT authoritiesmeans:a competent authority as defined in Article 4(1), point (40), of Regulation (EU) No 575/2013 of the European Parliament and of the Council(27) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).;Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).the European Central Bank (ECB), when it carries out the tasks conferred on it by Regulation (EU) No 1024/2013;a resolution authority designated in accordance with Article 3 of Directive 2014/59/EU;a designated authority as defined in Article 2(1), point (18), of Directive 2014/49/EU;a competent authority as defined in Article 3(1), point (35), of Regulation (EU) 2023/1114., other national authorities and bodies competent for ensuring compliance with the requirements of Directive 2008/48/EC, Directive 2009/110/EC, Directive 2009/138/EC, Directive 2014/17/EU, Regulation (EU) No 537/2014, Directive 2014/56/EU, Directive 2014/65/EU or Directive (EU) 2015/2366, or by the ESAs.

    2. The information referred to in the first subparagraph shall include instances where the authorities and bodies referred to in that subparagraph have reasonable grounds to suspect that ML/TF is being attempted or committed or that an increased risk thereof exists in connection with an obliged entity, and where such reasonable grounds arose in the context of the exercise of their respective tasks. The database shall also include relevant information which authorities or bodies supervising credit institutionsmeans:a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country; in accordance with Directive 2013/36/EU of the European Parliament and of the Council(36)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338)., including the ECB when acting in accordance with Regulation (EU) No 1024/2013, have obtained, in the context of ongoing supervision, including information on business model assessments, assessments of governance arrangements, authorisation procedures, assessments of acquisitions of qualifying holdings, ‘fit and proper’ assessments and procedures related to the withdrawal of licences.

    1. The authorities and bodies referred to in paragraph 1, second subparagraph, may address to the Authority a reasoned request for information collected pursuant to this Article, if that information is necessary for their supervisory activities. The Authority shall assess those requests and provide the information requested on a need-to-know and confidential basis and in a timely manner. The Authority shall inform the authority or body that has initially provided the requested information of the identity of the requesting authority or body, the identity of any obliged entity concerned, the reason for the information request as well as whether the information has been provided to the requesting authority or body. Where the Authority decides not to provide the requested information, it shall provide a reasoned justification for that decision.

    1. The Authority shall develop draft regulatory technical standards specifying:

      1. the procedure, formats and timelines for the transmission of information pursuant to paragraphs 2 and 3;

      2. the scope and level of detail of the information to be transmitted, taking into account relevant distinctions between obliged entities, such as their risk profile;

      3. the scope and level of detail of the information to be transmitted in relation to obliged entities in the non-financial sector;

      4. the type of information the disclosure of which by the Authority, pursuant to a reasoned request or at its own initiative, requires the prior consent of the supervisory authoritymeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; that originated it;

      5. which level of materiality a breach needs to have in order for a supervisory authoritymeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; to be obliged to transmit information on the breach pursuant to paragraph 2, point (c);

      6. the conditions under which the Authority may request additional information pursuant to paragraph 3;

      7. the types of additional information to be transmitted to the Authority pursuant to paragraph 3.

    2. The Authority shall submit those draft regulatory technical standards to the Commission by 27 December 2025.

    3. The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Article 49 of this Regulation.

    1. Personal data collected in accordance with this Article may be kept in an identifiable form for a period of up to 10 years after the date of collection of the data by the Authority, at the end of which those data shall be deleted. Based on a regular assessment of their necessity, personal data may be deleted before the expiry of that period on a case-by-case basis.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod