Anti-money laundering regulation (AMLR)

Money laundering and terrorist financing are frequently carried out in an international context. Measures adopted at Union level, without taking into account international coordination and cooperation, would have very limited effect. The measures adopted by the Union in that field should therefore be compatible with, and at least as stringent as, actions undertaken at international level. Union action should continue to take particular account of the Financial Action Task Force (FATF) Recommendations and instruments of other international bodies active in the fight against money laundering and terrorist financing. With a view to reinforcing the efficacy of the fight against money laundering and terrorist financing, the relevant Union legal acts should, where appropriate, be aligned with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by the FATF in February 2012 (the ‘revised FATF Recommendations’) and the subsequent amendments to such standards.

Since the adoption of Directive (EU) 2015/849, recent developments in the Union’s criminal law framework have contributed to strengthening the prevention of and fight against money laundering, its predicate offences and terrorist financing. Directive (EU) 2018/1673 of the European Parliament and of the Council(⁹) has led to a common understanding of the money laundering crime and its predicate offences. Directive (EU) 2017/1371 of the European Parliament and of the Council(¹⁰) defined financial crimes affecting the Union’s financial interest, which should also be considered predicate offences to money laundering. Directive (EU) 2017/541 of the European Parliament and of the Council(¹¹) has achieved a common understanding of the crime of terrorist financing. As those concepts are now clarified in Union criminal law, it is no longer necessary for the Union’s AML/CFT rules to define money laundering, its predicate offences or terrorist financing. Instead, the Union’s AML/CFT framework should be fully coherent with the Union’s criminal law framework.

Harmonisation in the relevant area of criminal law enables a strong and coherent approach at Union level to the prevention of and fight against money laundering and its predicate offences, including corruption. At the same time, such an approach ensures that Member States that have adopted a broader approach to the definition of criminal activities which constitute predicate offences for money laundering can continue to apply such an approach. For that reason, in line with Directive (EU) 2018/1673, any kind of punishable involvement in the commission of a predicate offence for money laundering as criminalised in accordance with national law should also be considered as a criminal activity for the purposes of that Directive and of this Regulation.

Technology keeps evolving, offering opportunities to the private sector to develop new products and systems to exchange funds or value. While this is a positive phenomenon, it can generate new money laundering and terrorist financing risks, as criminals continuously manage to find ways to exploit vulnerabilities in order to hide and move illicit funds around the world. Crypto-asset service providers and crowdfunding platforms are exposed to the misuse of new channels for the movement of illicit money and are well placed to detect such movement and mitigate risks. The scope of Union legislation should therefore be expanded to cover such entities, in line with FATF standards in relation to crypto-assets. At the same time, advances in innovation, such as the development of the metaverse, provide new avenues for the perpetration of crimes and for the laundering of their proceeds. It is therefore important to exercise vigilance as regards the risks associated with the provision of innovative products or services, whether at Union or national level or at the level of obliged entities.

The institutions and persons covered by this Regulation play a crucial role as gatekeepers of the Union’s financial system and should therefore take all necessary measures to implement the requirements of this Regulation with a view to preventing criminals from laundering the proceeds of their illegal activities or from financing terrorism. Measures should also be put in place to mitigate any risk of non-implementation or evasion of targeted financial sanctions.

The definition of an insurance intermediary under Directive (EU) 2016/97 of the European Parliament and of the Council(¹²) covers a broad range of natural or legal persons that take up or pursue the activity of insurance distribution. Some insurance intermediaries take up insurance distribution activities under the full responsibility of insurance undertakings or intermediaries and carry out activities subject to their policies and procedures. Where those intermediaries do not collect premia or amounts intended for the customer, the policy holder or the beneficiary of the insurance policy, they are not in a position to conduct meaningful due diligence or to detect and report suspicious transactions. In view of that limited role and of the fact that full application of AML/CFT requirements is ensured by the insurance undertakings or intermediaries under whose responsibility they provide services, intermediaries that do not handle funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 of the European Parliament and of the Council(¹³) should not be considered obliged entities for the purposes of this Regulation.

Holding companies that carry out mixed activities and have at least one subsidiary that is an obliged entity should themselves be included as obliged entities in the scope of this Regulation. To ensure consistent supervision by financial supervisors, in cases where the subsidiaries of a mixed activity holding company include at least one credit institution or financial institution, the holding company itself should also qualify as a financial institution.

Financial transactions can also take place within the same group as a way of managing group finances. However, such transactions are not undertaken vis-à-vis customers and do not require the application of AML/CFT measures. In order to ensure legal certainty, it is necessary to recognise that this Regulation does not apply to financial activities or other financial services which are provided by members of a group to other members of that group.

Independent legal professionals should be subject to this Regulation when participating in financial or corporate transactions, including when providing tax advice, because there is risk of the services provided by those legal professionals being misused for the purpose of laundering the proceeds of criminal activity or for the purpose of terrorist financing. There should, however, be exemptions from any obligation to report information obtained before, during or after judicial proceedings, or in the course of ascertaining the legal position of a client, as such information is covered by legal privilege. Therefore, legal advice should remain subject to the obligation of professional secrecy, except where the legal professional is taking part in money laundering or terrorist financing, the legal advice is provided for the purposes of money laundering or terrorist financing, or where the legal professional knows that the client is seeking legal advice for the purposes of money laundering or terrorist financing. Such knowledge and purpose can be inferred from objective factual circumstances. As legal advice might already be sought at the stage of perpetrating the proceeds-generating criminal activity, it is important that cases excluded from legal privilege extend to situations where legal advice is provided in the context of the predicate offences. Legal advice sought in relation to ongoing judicial proceedings should not be deemed to constitute legal advice for the purposes of money laundering or terrorist financing.

In order to ensure respect for the rights guaranteed by the Charter of Fundamental Rights of the European Union (the ‘Charter’), in the case of auditors, external accountants and tax advisors who, in some Member States, are entitled to defend or represent a client in the context of judicial proceedings or to ascertain a client’s legal position, the information they obtain in the performance of those tasks should not be subject to reporting obligations. However, the same exceptions that apply to notaries and lawyers should also apply to those professionals where they act in the exercise of the right of defence or when they ascertain the legal position of a client.

Directive (EU) 2018/843 was the first legal instrument to address the risks of money laundering and terrorist financing posed by crypto-assets in the Union. It extended the scope of the AML/CFT framework to two types of crypto-asset service providers: providers engaged in exchange services between virtual currencies and fiat currencies, and custodian wallet providers. Due to rapid technological developments and the advancement in FATF standards, it is necessary to review that approach. A first step to complete and update the Union legal framework has been achieved with Regulation (EU) 2023/1114 of the European Parliament and of the Council(¹⁴), which set requirements for crypto-asset service providers wishing to apply for an authorisation to provide their services in the internal market. It also introduced a definition of crypto-assets and crypto-asset service providers encompassing a broader range of activities. In addition, Regulation (EU) 2023/1113 has extended traceability requirements to transfers of crypto-assets carried out by crypto-asset service providers covered by Regulation (EU) 2023/1114, and amended Directive (EU) 2015/849 to require Member States to make those crypto-asset service providers obliged entities. Those crypto-asset service providers should also be covered by this Regulation, to mitigate any risk of misuse of crypto-assets for money laundering or terrorist financing purposes.

The creation of markets in unique and non-fungible crypto-assets is still recent and has not resulted in legislation regulating their functioning. The evolution of those markets is being monitored and it is important that it does not result in new money laundering and terrorist financing risks that would not be properly mitigated. By 30 December 2024, the Commission is to submit a report to the European Parliament and to the Council on the latest developments with respect to crypto-assets, including an assessment of the development of markets in unique and non-fungible crypto-assets, the appropriate regulatory treatment of such crypto-assets, including an assessment of necessity and feasibility of regulating providers of services related to unique and non-fungible crypto-assets. If appropriate, the Commission is to accompany that report with a legislative proposal.

Crowdfunding platforms’ vulnerabilities to money laundering and terrorist financing risks are horizontal and affect the internal market as a whole. To date, diverging approaches have emerged across Member States as to the management of those risks. While Regulation (EU) 2020/1503 of the European Parliament and of the Council(¹⁵) harmonises the regulatory approach for business investment and lending-based crowdfunding platforms across the Union and introduces several safeguards to deal with potential money laundering and terrorist financing risks, such as due diligence of crowdfunding platforms in respect of project owners and within authorisation procedures, the lack of a harmonised legal framework with robust AML/CFT obligations for crowdfunding platforms creates gaps and weakens the Union’s AML/CFT safeguards. It is therefore necessary to ensure that all crowdfunding platforms, including those already licensed under Regulation (EU) 2020/1503, are subject to Union AML/CFT legislation.

Crowdfunding intermediaries, which operate a digital platform in order to match or facilitate the matching of funders with projects owners such as associations or individuals that seek funding, are exposed to money laundering and terrorist financing risks. Undertakings that are not licensed under Regulation (EU) 2020/1503 are currently left either unregulated or are subject to diverging regulatory approaches across Member States, including in relation to rules and procedures to tackle money laundering and terrorist financing risks. Such intermediaries should therefore be subject to the obligations of this Regulation, in particular to avoid the diversion of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 or crypto-assets raised for illicit purposes by criminals. In order to mitigate such risks, those obligations apply to a wide range of projects, including, inter alia, educational or cultural projects and the collection of those funds or crypto-assets to support more general causes, for example in the humanitarian field, or to organise or celebrate a family or social event.

Directive (EU) 2015/849 set out to mitigate the money laundering and terrorist financing risks posed by large cash payments by including persons trading in goods among obliged entities where they make or receive payments in cash above EUR 10 000, whilst allowing Member States to introduce stricter measures. Such an approach has shown to be ineffective in light of the poor understanding and application of AML/CFT requirements, lack of supervision and limited number of suspicious transactions reported to the Financial Intelligence Unit (FIU). In order to adequately mitigate risks deriving from the misuse of large cash sums, a Union-wide limit to large cash payments above EUR 10 000 should be laid down. As a consequence, persons trading in goods no longer need to be subject to AML/CFT obligations, with the exception of persons trading in precious metals, precious stones, other high value goods and cultural goods.

Some categories of persons trading in goods are particularly exposed to money laundering and terrorist financing risks due to the high value of the often small, transportable goods they deal with. For that reason, persons dealing in precious metals and precious stones and other high value goods should be subject to AML/CFT requirements where such trading is either a regular or a principal professional activity.

Motor vehicles, watercraft and aircraft in the higher market segments are vulnerable to risks of misuse for money laundering and terrorist financing given their high value and transportability. Therefore, persons trading in such goods should be subject to AML/CFT requirements. The transportable nature of those goods is particularly attractive for the purposes of money laundering and terrorist financing given the ease with which such goods can be moved across or outside Union borders, and the fact that access to information on such goods where registered in third countries might not be easily accessible to competent authorities. To mitigate risks that Union high-value goods may be misused for criminal purposes and to ensure visibility on the ownership of such goods, it is necessary to require persons trading in high-value goods to report transactions concerning the sale of motor vehicles, watercraft and aircraft. Credit institutions and financial institutions provide services that are essential for the conclusion of the sale or transfer of ownership of such goods, and should also be required to report those transactions to the FIU. While goods intended solely for the pursuit of commercial activities should not be subject to such disclosure, sales for private, non-commercial use should not be limited to instances where the customer is a natural person, but should also relate to sales to legal entities and arrangements, in particular where they are set up to administer the wealth of their beneficial owner.

Investment migration operators are private companies, bodies or persons acting or interacting directly with the national authorities competent for granting rights of residence on behalf of third-country nationals or providing intermediary services to third-country nationals seeking to obtain residence rights in a Member State in exchange for any kind of investment, including capital transfers, purchase or renting of property, investment in government bonds, investment in corporate entities, donation or endowment of an activity contributing to the public good and contributions to the state budget. Investor residence schemes present risks and vulnerabilities in relation to money laundering, corruption and tax evasion. Such risks are exacerbated by the cross-border rights associated with residence in a Member State. Therefore, it is necessary that investment migration operators are subject to AML/CFT obligations. This Regulation should not apply to investor citizenship schemes, which result in the acquisition of nationality in exchange for such investment, as such schemes must be considered as undermining the fundamental status of Union citizenship and sincere cooperation among Member States.

While creditors for mortgage and consumer credits are typically credit institutions or financial institutions, there are consumer and mortgage credit intermediaries that do not qualify as credit institutions or financial institutions and have not been subject to AML/CFT requirements at Union level, but have been subject to such obligations in certain Member States due to their exposure to money laundering and terrorist financing risks. Depending on their business model, such consumer and mortgage credit intermediaries can be exposed to significant money laundering and terrorist financing risks. It is important to ensure that entities carrying out similar activities that are exposed to such risks are covered by AML/CFT requirements, regardless of whether they qualify as credit institutions or financial institutions. Therefore, it is appropriate to include consumer and mortgage credit intermediaries that are not credit institutions or financial institutions but that are, as a result of their activities, exposed to money laundering and terrorist financing risks. In many cases, however, the credit intermediary is acting on behalf of the credit institution or financial institution that grants and processes the loan. In those cases, AML/CFT requirements should not apply to consumer and mortgage credit intermediaries, but only to the credit institutions or financial institutions.

To ensure a consistent approach, it is necessary to clarify which entities in the investment sector are subject to AML/CFT requirements. Although collective investment undertakings already fall within the scope of Directive (EU) 2015/849, it is necessary to align the relevant terminology with the current Union investment fund legislation, namely Directives 2009/65/EC(¹⁶) and 2011/61/EU(¹⁷) of the European Parliament and of the Council. Because funds might be constituted without legal personality, the inclusion of their managers in the scope of this Regulation is also necessary. AML/CFT requirements should apply regardless of the form in which units or shares in a fund are made available for purchase in the Union, including where units or shares are directly or indirectly offered to investors established in the Union or placed with such investors at the initiative of the manager or on behalf of the manager. As both funds and fund managers fall within the scope of AML/CFT requirements, it is appropriate to clarify that a duplication of efforts should be avoided. To that end, the AML/CFT measures taken at the level of the fund and at the level of its manager should not be the same, but should reflect the allocation of tasks between the fund and its manager.

The activities of professional football clubs and football agents are exposed to risks of money laundering and its predicate offences due to several factors inherent to the football sector, such as the global popularity of football, the considerable sums, cash flows and financial interests involved, the prevalence of cross-border transactions, and the sometimes opaque ownership structures. All those factors expose football to possible abuse by criminals to legitimise illicit funds and thus make the sport vulnerable to money laundering and its predicate offences. Key areas of risk include, for example, transactions with investors and sponsors, including advertisers, and the transfer of players. Professional football clubs and football agents should therefore put in place robust anti-money laundering measures, including carrying out customer due diligence on investors, sponsors, including advertisers, and other partners and counterparties with whom they transact. In order to avoid any disproportionate burden on smaller clubs that are less exposed to risks of criminal misuse, Member States should be able to, on the basis of a proven lower risk of money laundering, its predicate crimes and terrorist financing, exempt certain professional football clubs from the requirements of this Regulation, whether in full or in part.

The activities of professional football clubs competing in the highest divisions of their national football leagues make them more exposed to higher risks of money laundering and its predicate offences compared to football clubs participating in lower divisions. For example, top-tier football clubs engage in more substantial financial transactions, such as high-value transfers of players and sponsorship deals, might have more complex corporate structures with multiple layers of ownership, and are more likely to engage in cross-border transactions. Those factors make such top-tier clubs more attractive for criminals and provide more opportunities to conceal illicit funds. Therefore, Member States should only be able to exempt professional football clubs participating in the highest division in cases of proven low risk and provided that such clubs have a turnover for each of the previous 2 years of less than EUR 5 000 000 or the equivalent in national currency. Nonetheless, the risk of money laundering is not determined solely by the division in which a football club competes. Lower-division clubs can also be exposed to significant risks of money laundering and its predicate offences. Member States should therefore only be able to exempt from the requirements of this Regulation football clubs in lower divisions that are associated with a proven low risk of money laundering, its predicate offences or terrorist financing.

This Regulation harmonises the measures to be put in place to prevent money laundering, its predicate offences and terrorist financing at Union level. At the same time, in line with the risk-based approach, Member States should be able to impose additional requirements in limited cases where they are confronted with specific risks. To ensure that such risks are adequately mitigated, obliged entities that have their head office located in another Member State should apply such additional requirements, whether they operate in that other Member State through freedom of establishment or under the freedom to provide services, provided they have an infrastructure in that other Member State. Furthermore, in order to clarify the relationship between those internal market freedoms, it is important to clarify what activities amount to an establishment.

Consistent with the case law of the Court of Justice of the European Union, unless specifically set out in sectorial legislation an establishment does not need to take the form of a subsidiary, branch or agency, but can consist of an office managed by an obliged entity’s own staff or by a person who is independent but authorised to act on a permanent basis for the obliged entity. According to that definition, which requires the actual pursuit of an economic activity at the place of establishment of the provider, a mere letter-box does not constitute an establishment. Equally, offices or other infrastructure used for supporting activities, such as mere back-office operations, IT-hubs or data centres operated by obliged entities, do not constitute an establishment. Conversely, activities such as the provision of crypto-asset services through ATMs constitute an establishment having regard to the limited physical equipment needed for operators that mainly service their customers through the internet, as is the case for crypto-asset service providers.

It is important that AML/CFT requirements apply in a proportionate manner and that the imposition of any requirement is proportionate to the role that obliged entities are able to play in the prevention of money laundering and terrorist financing. To that end, it should be possible for Member States, in line with the risk-based approach of this Regulation, to exempt certain operators from AML/CFT requirements where the activities they perform present low money laundering and terrorist financing risks and where the activities are limited in nature. To ensure transparent and consistent application of such exemptions across the Union, a mechanism should be put in place allowing the Commission to verify the necessity of the exemptions to be granted. The Commission should also publish such exemptions on a yearly basis in the Official Journal of the European Union.

A consistent set of rules on internal systems and controls that applies to all obliged entities operating in the internal market will strengthen AML/CFT compliance and make supervision more effective. In order to ensure adequate mitigation of money laundering and terrorist financing risks, as well as of risks of non-implementation or evasion of targeted financial sanctions, obliged entities should have in place an internal control framework consisting of risk–based policies, procedures and controls and a clear division of responsibilities throughout the organisation. In line with the risk-based approach of this Regulation, those policies, procedures and controls should be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces, including, for crypto-asset service providers, transactions with self-hosted wallets.

An appropriate risk-based approach requires obliged entities to identify the inherent risks of money laundering and terrorist financing as well as the risks of non-implementation or evasion of targeted financial sanctions that they face by virtue of their business in order to mitigate them effectively and to ensure that their policies, procedures and internal controls are appropriate to address those inherent risks. In doing so, obliged entities should take into account the characteristics of their customers, the products, services or transactions offered, including, for crypto-asset service providers, transactions with self-hosted addresses, the countries or geographical areas concerned and the distribution channels used. In light of the evolving nature of risks, such risk assessment should be regularly updated.

With a view to supporting a consistent and effective approach to the identification of risks affecting their businesses by obliged entities, AMLA should issue guidelines on minimum requirements for the content of the business-wide risk assessment and additional sources of information to be taken into account. Those sources could include information from international standard setters in the field of AML/CFT, such as FATF mutual evaluation reports, and other credible and reliable sources providing information on typologies, emerging risks and criminal activity, including corruption, such as reports from civil society organisations, media and academia.

It is appropriate to take account of the characteristics and needs of smaller obliged entities, and to ensure treatment which is appropriate to their specific needs, and the nature of the business. That might include exempting certain obliged entities from performing a risk assessment where the risks involved in the sector in which the entity operates are well understood.

The FATF has developed standards for jurisdictions to identify and assess the risks of potential non-implementation or evasion of the targeted financial sanctions related to proliferation financing, and to take action to mitigate those risks. Those new standards introduced by the FATF do not substitute nor undermine the existing strict requirements for countries to implement targeted financial sanctions to comply with the relevant United Nations Security Council (‘UNSC’) resolutions relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing. Those existing obligations, as implemented at Union level by Council Decisions 2010/413/CFSP(¹⁸) and (CFSP) 2016/849(¹⁹) as well as by Council Regulations (EU) No 267/2012(²⁰) and (EU) 2017/1509(²¹), remain binding on all natural and legal persons within the Union. Given the specific risks of non-implementation and evasion of targeted financial sanctions to which the Union is exposed, it is appropriate to expand the assessment of risks to encompass all targeted financial sanctions adopted at Union level. The risk-sensitive nature of AML/CFT measures related to targeted financial sanctions does not remove the rule-based obligation incumbent upon all natural or legal persons in the Union to freeze and not make funds or other assets available, directly or indirectly, to designated persons or entities.

In order to ensure that risks of non-implementation or evasion of targeted financial sanctions are appropriately mitigated, it is important to set out measures that obliged entities are required to implement, including measures to check their customer base against the lists of persons or entities designated under targeted financial sanctions. The requirements incumbent upon obliged entities under this Regulation do not remove the rule-based obligation to freeze and not make funds and other assets available, directly or indirectly, to individuals or entities subject to targeted financial sanctions that apply to all natural or legal persons in the Union. In addition, the requirements of this Regulation are not intended to replace obligations regarding the screening of customers for the implementation of targeted financial sanctions under other Union legal acts or under national law.

In order to reflect the latest developments at international level, a requirement is to be introduced by this Regulation to identify, understand, manage and mitigate risks of potential non-implementation or evasion of targeted financial sanctions at obliged entity level.

Listing or designations of individuals or entities by the UNSC or the UN Sanctions Committee are integrated into Union law by means of decisions and regulations adopted under Article 29 of the Treaty on European Union (TEU) and Article 215 of the Treaty on the Functioning of the European Union (TFEU) respectively that impose targeted financial sanctions on such individuals and entities. The process for adoption of such acts at Union level requires verification of compliance of any designation or listing with fundamental rights granted under the Charter. Between the moment of publication by the UN and the moment of entry into application of the Union acts transposing the UN listings or designations, in order to enable the effective application of targeted financial sanctions, obliged entities should keep records of the funds or other assets they hold for customers listed or designated under UN financial sanctions, or customers owned or controlled by listed or designated individuals or entities, of any attempted transaction and of transactions carried out for the customer, such as for the fulfilment of basic needs of the customer.

In assessing whether a customer who is a legal entity is owned or controlled by individuals designated under targeted financial sanctions, obliged entities should take into account the Council Guidelines on implementation and evaluation of restrictive measures (sanctions) in the framework of the Union common foreign and security policy and the Best Practices for the effective implementation of restrictive measures.

It is important that obliged entities take all measures at the level of their management to implement internal policies, procedures and controls and to implement AML/CFT requirements. While a member of the management body should be identified as being responsible for implementing the obliged entity’s internal policies, procedures and controls, the responsibility for compliance with AML/CFT requirements should rest ultimately with the management body of the entity. That attribution of responsibility should be without prejudice to national provisions on joint civil or criminal liability of management bodies. Tasks pertaining to the day-to-day implementation of the obliged entity’s AML/CFT internal policies, procedures and controls should be entrusted to the compliance officer.

It should be possible for each Member State to lay down in its national law that an obliged entity subject to prudential rules requiring the appointment of a compliance officer or of a head of the internal audit function can entrust those persons with the functions and responsibilities of AML/CFT compliance officer and internal audit function for AML/CFT purposes. In cases of higher risks, or where justified by the size of the obliged entity, it should be possible for the responsibilities of compliance controls and of the day-to-day operation of the obliged entity’s AML/CFT policies and procedures to be entrusted to two different persons.

For effective implementation of AML/CFT measures, it is also vital that the employees of obliged entities, as well as their agents and distributors, who have a role in that implementation understand the requirements and the internal policies, procedures and controls in place in the entity. Obliged entities should put in place measures, including training programmes, to this effect. Where necessary, obliged entities should provide basic training on AML/CFT measures to all those who have a role in implementing such measures. That includes not only the employees of obliged entities but also their agents and distributors.

Individuals entrusted with tasks related to an obliged entity’s compliance with AML/CFT requirements should undergo assessment of their skills, knowledge, expertise, integrity and conduct. Performance by employees of tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to customers with whom they have a close private or professional relationship can lead to conflicts of interests and undermine the integrity of the system. Such relations might exist at the time of the establishment of the business relationship but can also arise thereafter. Therefore, obliged entities should have in place processes to manage and address conflicts of interests. Those processes should ensure that employees are prevented from performing any tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to such customers.

Situations might occur where individuals who would qualify as obliged entities provide their services in-house to businesses whose activities do not fall within the scope of this Regulation. As those businesses do not act as gatekeepers of the Union’s financial system, it is important to clarify that such employees, for example in-house lawyers, are not covered by the requirements of this Regulation. Similarly, individuals carrying out activities that fall within the scope of this Regulation should not be considered obliged entities in their own right where those activities are carried out in the context of their employment with an obliged entity, for example in the case of lawyers or accountants employed with a legal or accounting firm.

The consistent implementation of group-wide AML/CFT policies and procedures is key to the robust and effective management of money laundering and terrorist financing risks within a group. To that end, group-wide policies, procedures and controls should be adopted and implemented by the parent undertaking. Entities within a group should be required to exchange information where such sharing is relevant for preventing money laundering and terrorist financing. Information sharing should be subject to sufficient guarantees in terms of confidentiality, data protection and use of information. AMLA should have the task of drawing up draft regulatory standards specifying the minimum requirements of group-wide procedures and policies, including minimum standards for information sharing within a group and the criteria for identifying parent undertakings for groups whose head office is located outside of the Union.

In order to ensure effective application of AML/CFT requirements where several obliged entities are directly or indirectly linked with each other and constitute, or are a part of, a group of entities, it is necessary to consider the broadest possible definition of a group. For that purpose, obliged entities should follow applicable accounting rules which allow structures with various types of economic links to be considered as groups. While a traditional group includes a parent undertaking and its subsidiaries, other types of group structures are equally relevant, for example group structures of several parent entities owning a single subsidiary, which have been referred to as entities permanently affiliated to a central body in Article 10 of Regulation (EU) No 575/2013 of the European Parliament and of the Council(²²), or financial institutions which are members of the same institutional protection scheme referred to in Article 113(7) of that Regulation. Those structures are all groups according to accounting rules and should therefore be considered as groups for the purposes of this Regulation.

In addition to groups, other structures exist, such as networks or partnerships, in which obliged entities might share common ownership, management and compliance controls. To ensure a level playing field across the sectors whilst avoiding overburdening those sectors, AMLA should identify those situations where similar group-wide policies are to apply to those structures, taking into account the principle of proportionality.

There are circumstances where branches and subsidiaries of obliged entities are located in third countries where the minimum AML/CFT requirements, including data protection obligations, are less strict than the Union AML/CFT framework. In such situations, and in order to fully prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing and to ensure the highest standard of protection for personal data of Union citizens, those branches and subsidiaries should comply with AML/CFT requirements laid down at Union level. Where the law of a third country does not permit compliance with those requirements, for example because of limitations to the group’s ability to access, process or exchange information due to an insufficient level of data protection or banking secrecy law in that third country, obliged entities should take additional measures to ensure that branches and subsidiaries located in that country effectively handle the risks. AMLA should be tasked with developing draft regulatory technical standards specifying the type of such additional measures, taking into account the principle of proportionality.

Obliged entities might outsource tasks relating to the performance of certain AML/CFT requirements to a service provider. In the case of outsourcing relationships on a contractual basis between obliged entities and service providers not covered by AML/CFT requirements, any AML/CFT obligations upon those service providers arise only from the contract between the parties and not from this Regulation. Therefore, the responsibility for complying with AML/CFT requirements should remain entirely with the obliged entity. The obliged entity should in particular ensure that, where a service provider is involved for the purposes of remote customer identification, the risk-based approach is respected. Processes or arrangements that contribute to the performance of a requirement under this Regulation, but where the performance of the requirement itself is not carried out by a service provider, such as the use or acquisition of third-party software or the access to databases or screening services by the obliged entity, are not considered to be outsourcing.

The possibility to outsource tasks to a service provider allows obliged entities to decide on how to allocate their resources to comply with this Regulation, but does not relieve them of their obligation to understand whether the measures they undertake, including those outsourced to service providers, mitigate the money laundering and terrorist financing risks identified, and whether such measures are appropriate. In order to ensure that such understanding is in place, the final decisions on measures that have a bearing on the implementation of policies, procedures and controls should always rest with the obliged entity.

The notification of outsourcing arrangements to the supervisor does not imply an acceptance of the outsourcing arrangement. The information contained in that notification, in particular where critical functions are outsourced or where the obliged entity systematically outsources its functions, might however be taken into consideration by supervisors when assessing the obliged entity’s systems and controls, and when determining the residual risk profile or in preparation for inspections.

In order for outsourcing relationships to function efficiently, further clarity is needed around the conditions according to which outsourcing takes place. AMLA should have the task of developing guidelines on the conditions under which outsourcing can take place, as well as the roles and responsibilities of the respective parties. To ensure that consistent oversight of outsourcing practices is ensured throughout the Union, the guidelines should also provide clarity on how supervisors are to take into account such practices and verify compliance with AML/CFT requirements when obliged entities resort to those practices.

Customer due diligence requirements are essential to ensure that obliged entities identify, verify and monitor their business relationships with their clients, in relation to the money laundering and terrorist financing risks that they pose. Accurate identification and verification of data of prospective and existing customers are essential for understanding the risks of money laundering and terrorist financing associated with clients, whether they are natural or legal persons. Obliged entities should also understand on whose behalf or for the benefit of whom a transaction is carried out, for example in situations where credit institutions or financial institutions provide accounts to legal professionals for the purposes of receiving or holding their client’s funds as defined in Article 4, point (25), of Directive (EU) 2015/2366. In the context of customer due diligence, the person for the benefit of whom a transaction or activity is carried out does not refer to the recipient or beneficiary of a transaction carried out by the obliged entity for their customer.

It is necessary to achieve a uniform and high standard of customer due diligence in the Union, relying on harmonised requirements for the identification of customers and verification of their identity, and reducing national divergences to allow for a level playing field across the internal market and for a consistent application of provisions throughout the Union. At the same time, it is essential that obliged entities apply customer due diligence measures in a risk-based manner. The risk-based approach is not an unduly permissive option for obliged entities. It involves the use of evidence-based decision-making in order to target more effectively the risks of money laundering and terrorist financing facing the Union and those operating within it.

Civil society organisations that conduct charitable or humanitarian work in third countries contribute to the Union’s goals of achieving peace, stability, democracy and prosperity. Credit institutions and financial institutions play an important role in ensuring that such organisations can continue to conduct their work, by providing access to the financial system and important financial services that allow development and humanitarian funding to be channelled to developing or conflict areas. While obliged entities should be aware that activities conducted in certain jurisdictions expose them to a higher risk of money laundering or terrorist financing, the operation of civil society organisations in those jurisdictions should not, alone, result in the refusal to provide financial services or termination of such services, as the risk-based approach requires a holistic assessment of risks posed by individual business relationships, and the application of adequate measures to mitigate the specific risks. While credit institutions and financial institutions remain free to decide with whom they engage in contractual relationships, they should also be mindful of their central role in the functioning of the international financial system, and in enabling the movement of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 or of crypto-assets, for the important development and humanitarian goals that civil society organisations pursue. Such institutions should therefore make use of the flexibility allowed by the risk-based approach to mitigate the risks associated with business relationships in a proportionate manner. Under no circumstances should AML/CFT reasons be invoked to justify commercial decisions as regards prospective or existing clients.

Obliged entities should identify and take reasonable measures to verify the identity of the beneficial owner using reliable documents and sources of information. The consultation of central registers of beneficial ownership information (‘central registers’) allows obliged entities to ensure consistency with information obtained through the verification process and should not be the obliged entity’s primary source for verification. Where obliged entities identify discrepancies between information held in the central registers and the information they obtain from the customer or other reliable sources in the course of customer due diligence, they should report those discrepancies to the entity in charge of the relevant central register so that measures can be taken to resolve inconsistencies. That process contributes to the quality and reliability of information held in those registers, as part of a multi-pronged approach towards ensuring that information contained in central registers is accurate, adequate and up-to-date. In low-risk situations and where the beneficial owners are known to the obliged entity, it should be possible for obliged entities to allow the customer to report discrepancies where minor differences are identified that consist of errors of a typographical or similar technical nature.

The risks posed by foreign legal entities and foreign legal arrangements need to be adequately mitigated. Where a legal entity created outside the Union or an express trust or similar legal arrangement administered outside the Union, or whose trustee or person in an equivalent position resides or is established outside the Union, is about to enter into a business relationship with an obliged entity, the registration of the beneficial ownership information in the central register of a Member State should be a precondition for entering into the business relationship. However, for legal entities created outside the Union, the requirement should only apply in the case of medium-high or high risks of money laundering, its predicate offences or terrorist financing associated with the category of foreign legal entity, the sector in which the foreign legal entity operates, or in the case of medium-high or high risks of money laundering, its predicate offences or terrorist financing associated with the sector in which the obliged entity operates. The registration of the beneficial ownership information should also be a precondition for the continuation of a business relationship with a legal entity created outside the Union in a situation where that relationship becomes associated with such medium-high or high risks after its establishment.

The process of establishing a business relationship or carrying out the steps necessary to conduct an occasional transaction is triggered when the customer expresses an interest in acquiring a product or receiving a service from an obliged entity. The services offered by real estate agents include helping customers to find a property to purchase, sell, rent or lease. Such services start to be relevant for AML/CFT purposes where there is a clear indication that the parties are willing to proceed with the purchase, sale, rental or lease or with taking the necessary preparatory steps. That could be, for instance, the moment when an offer for the purchase or rental of the property is made and accepted by the parties. Prior to that moment, it would not be necessary to conduct due diligence on any prospective customer. Similarly, it would not be proportionate to conduct customer due diligence on persons that have not yet expressed an interest in going forward with the purchase or rental of a specific property.

Real estate transactions are exposed to money laundering and terrorist financing risks. In order to mitigate those risks, real estate operators intermediating the buying, selling and letting of immovable property should be subject to the requirements of this Regulation, regardless of their designation or principal business or profession, including property developers when and to the extent that they intermediate in the buying, selling and letting of immovable property.

The anonymity associated with certain electronic money products exposes them to money laundering and terrorist financing risks. There are however significant differences across the sector, and not all electronic money products bear the same level of risk. For example, certain low value electronic money products, such as prepaid gift cards or prepaid vouchers, might present low risks of money laundering or terrorist financing. In order to ensure that the requirements imposed on the sector are commensurate with its risk and do not effectively hamper its operation, it should be possible, in certain proven low-risk circumstances and under strict risk-mitigating conditions, to exempt those products from certain customer due diligence measures, such as the identification and verification of the customer and of the beneficial owner, but not from the monitoring of transactions or of business relationships. It should only be possible for supervisors to grant such an exemption upon verification of the proven low risk having regard to relevant risk factors to be defined by AMLA and in a way that effectively mitigates any risk of money laundering or terrorist financing and that precludes circumvention of AML/CFT rules. In any case, any exemption should be conditional on strict limits regarding the maximum value of the product, its exclusive use to purchase goods or services, and provided that the amount stored cannot be exchanged for other value.

Obliged entities should not be required to apply due diligence measures on customers carrying out occasional or linked transactions below a certain value, unless there is suspicion of money laundering or terrorist financing. Whereas the EUR 10 000, or the equivalent in national currency, threshold applies to most occasional transactions, obliged entities which operate in sectors or carry out transactions that present a higher risk of money laundering and terrorist financing should be required to apply customer due diligence measures for transactions with lower thresholds. To identify the sectors or transactions as well as the adequate thresholds for those sectors or transactions, AMLA should develop dedicated draft regulatory technical standards.

There are specific situations where, for the purposes of customer due diligence, the customer is not limited to the person transacting with the obliged entity. That is the case, for example, where only one notary is involved in a real estate transaction. In such cases, in order to ensure that adequate checks are carried out on the transaction to detect possible cases of money laundering, its predicate offences or terrorist financing, obliged entities should consider both the buyer and the seller as customers and apply customer due diligence measures on both parties. This Regulation should provide a list of such situations where the customer is not, or is not limited to, the direct customer of the obliged entity. Such a list should complement the understanding of who the customer is in typical situations and should not be understood as encompassing an exhaustive interpretation of the term. Similarly, a business relationship should not always require a contractual relationship or other formal engagement as long as the services are provided repeatedly or over a period of time so as to entail an element of duration. Where national law precludes obliged entities that are public officials from entering into contractual relationships with customers, such national law should not be construed as prohibiting obliged entities from treating a series of transactions as a business relationship for the purposes of AML/CFT.

The introduction of a Union-wide limit to large cash payments mitigates the risks associated with the use of such payments. However, obliged entities that carry out transactions in cash below that limit remain vulnerable to risks of money laundering and terrorist financing as they provide a point of entry into the Union’s financial system. Therefore, it is necessary to require the application of customer due diligence measures to mitigate the risks of misuse of cash. To ensure that the measures are proportionate with the risks posed by transactions of a value lower than EUR 10 000, such measures should be limited to the identification and verification of the customer and the beneficial owner when carrying out occasional transactions in cash of at least EUR 3 000. That limitation does not relieve the obliged entity from applying all customer due diligence measures whenever there is a suspicion of money laundering or terrorist financing, or from reporting suspicious transactions to the FIU.

Some business models are based on the obliged entity having a business relationship with a merchant for offering payment initiation services through which the merchant gets paid for the provision of goods or services, and not with the merchant’s customer, who authorises the payment initiation service to initiate a single or one-off transaction to the merchant. In such a business model, the obliged entity’s customer for the purpose of AML/CFT rules is the merchant, and not the merchant’s customer. Therefore, with respect to payment initiation services, customer due diligence measures should be applied by the obliged entity vis-a-vis the merchant. In relation to other financial services that fall within the scope of this Regulation, including where provided by the same operator, the determination of the customer should be done having regard to the services provided.

Gambling activities vary in nature, geographical scope and associated risks. In order to ensure a proportionate and risk-based application of this Regulation, it should be possible for Member States to identify gambling services associated with low money laundering and terrorist financing risks, such as State or private lotteries or State-administered gambling activities, and to decide not to apply all or some of the requirements of this Regulation to them. Given the potential cross-border effects of national exceptions, it is necessary to ensure a consistent application of a strict risk-based approach across the Union. To that end, the Commission should be enabled to approve Member States’ decisions, or to reject them where the exception is not justified by a proven low risk. In any case, no exception should be granted in relation to activities associated with higher risks. This is the case for activities such as casinos, online gambling and sport betting, but is not the case where online gambling activities are administered by the State, whether through direct provision of those services or through regulation of the way in which those gambling services are organised, operated and administered. In light of the risks for public health or of criminal activities that can be associated with gambling, national measures regulating the organisation, operation and administration of gambling, where genuinely pursuing goals of public policy, public security or public health, can contribute to reducing the risks associated with that activity.

The EUR 2 000, or the equivalent in national currency, threshold applicable to providers of gambling services is met regardless of whether the customer carries out a single transaction of at least that amount or several smaller transactions which add up to that amount. To that effect, providers of gambling services should be able to attribute transactions to a given customer even if they have not yet verified the customer’s identity, to be in a position to determine whether and when that threshold has been met. Thus, providers of gambling services should have systems in place that allow attribution and monitoring of transactions prior to the application of the requirement to conduct customer due diligence. In the case of casinos or other physical gambling premises, it can be impractical to check the customer’s identity upon each transaction. In such cases, it should be possible to identify the customer and verify the customer’s identity upon entry into the gambling premises, provided that systems are in place to attribute transactions carried out at the gambling premises, including the purchase or exchange of gambling chips, to that customer.

Directive (EU) 2015/849, despite having harmonised the rules of Member States in the area of customer identification obligations to a certain degree, did not lay down detailed rules in relation to the procedures to be followed by obliged entities. In view of the crucial importance of that aspect in the prevention of money laundering and terrorist financing, it is appropriate, in accordance with the risk-based approach, to introduce more specific and detailed provisions on the identification of the customer and on the verification of the customer’s identity, whether in relation to natural or legal persons, legal arrangements such as trusts, or entities having legal capacity under national law.

Technological developments and progress in digitalisation enable a secure remote or electronic identification and verification of prospective and existing customers and can facilitate the remote performance of customer due diligence. The identification solutions as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council(²³) enable secure and trusted means of customer identification and verification for both prospective and existing customers and can facilitate the remote performance of customer due diligence. The electronic identification as set out in that Regulation should be taken into account and accepted by obliged entities for the customer identification process. The use of such means of identification can reduce, where appropriate risk mitigation measures are in place, the risk level to standard or even low. Where such electronic identification is not available to a customer, for example due to the nature of their residence status in a given Member State or their residence in a third country, verification should take place through relevant qualified trust services.

To ensure that the AML/CFT framework prevents illicit funds from entering the financial system, obliged entities should carry out customer due diligence before entering into business relationships with prospective clients, in line with the risk-based approach. Nevertheless, in order not to unnecessarily delay the normal conduct of business, obliged entities should be able to collect the information from the prospective customer during the establishment of a business relationship. Credit institutions and financial institutions should be able to obtain the necessary information from the prospective customers once the relationship is established, provided that transactions are not initiated until the customer due diligence process is successfully completed.

The customer due diligence process is not limited to the identification and verification of the customer’s identity. Before entering into business relationships or carrying out occasional transactions, obliged entities should also assess the purpose and nature of a business relationship or occasional transaction. Pre-contractual or other information about the proposed product or service that is communicated to the prospective customer can contribute to the understanding of that purpose. Obliged entities should always be able to assess the purpose and nature of a prospective business relationship or occasional transaction in an unambiguous manner. Where the offered service or product enables customers to carry out various types of transactions or activities, obliged entities should obtain sufficient information on the intention of the customer regarding the use to be made of that relationship.

To ensure the effectiveness of the AML/CFT framework, obliged entities should regularly review the information obtained from their customers, in accordance with the risk-based approach. Business relationships are likely to evolve as the customer’s circumstances and the activities they conduct through the business relationship change over time. In order to maintain a comprehensive understanding of the customer risk profile and conduct meaningful scrutiny of transactions, obliged entities should regularly review the information obtained from their customers, in accordance with the risk-based approach. Such reviews should be done on a periodic basis but should also be triggered by changes in relevant circumstances of the customer, when facts and information point towards a potential change in the risk profile or identification details of the customer. To that end, the obliged entity should consider the need to review the customer file in response to material changes, such as a change in the jurisdictions transacted with, in the value or volume of transactions, upon requests for new products or services that are significantly different in terms of risk, or following changes in beneficial ownership.

In the context of repeated clients for whom customer due diligence measures have recently been conducted, it should be possible for customer due diligence measures to be fulfilled by obtaining a confirmation from the customer that the information and documents held in the records have not changed. Such a method facilitates the application of AML/CFT obligations in situations where the obliged entity is confident that the information pertaining to the customer has not changed, as it is incumbent on obliged entities to ensure that they take adequate customer due diligence measures. In all cases, the confirmation received from the customer, and any changes to the information held on the customer, should be recorded.

Obliged entities might provide more than one product or service in the context of a business relationship. In those circumstances, the requirement to update information, data and documents at regular intervals is not intended to target the individual product or service, but the business relationship in its entirety. It is for the obliged entities to assess, across the range of products or services provided, when the relevant circumstances of the customer change, or when other conditions triggering the updating of the customer due diligence are met, and to proceed to review the customer file in relation to the entirety of the business relationship.

Obliged entities should also set up a monitoring system to detect transactions that might raise money laundering or terrorist financing suspicions. To ensure the effectiveness of the transaction monitoring, obliged entities’ monitoring activity should in principle cover all services and products offered to customers and all transactions which are carried out on behalf of the customer or offered to the customer by the obliged entity. However, not all transactions need to be scrutinised individually. The intensity of the monitoring should respect the risk-based approach and be designed around precise and relevant criteria, taking account, in particular, of the characteristics of the customer and the risk level associated with them, the products and services offered, and the countries or geographical areas concerned. AMLA should develop guidelines to ensure that the intensity of the monitoring of business relationships and of transactions is adequate and proportionate to the level of risk.

Terminating the business relationship where customer due diligence measures cannot be complied with reduces the obliged entity’s exposure to risks posed by possible changes in the customer’s profile. However, there might be situations where the termination should not be pursued due to public interest goals. This is the case, for example, in relation to life insurance contracts, where obliged entities should, where necessary, as an alternative to termination take measures to freeze the business relationship including by prohibiting any further services to that customer and withholding the payout to beneficiaries, until customer due diligence measures can be complied with. Additionally, certain products and services require the obliged entity to continue holding or receiving the customer’s funds as defined in Article 4, point (25), of Directive (EU) 2015/2366, for example in the context of lending, payment accounts or the taking of deposits. That should however not be treated as an impediment to the requirement to terminate the business relationship, which can be achieved by ensuring that no transactions or activities are carried out for the customer.

In order to ensure consistent application of this Regulation, AMLA should have the task of drawing up draft regulatory technical standards on customer due diligence. Those regulatory technical standards should set out the minimum set of information to be obtained by obliged entities in order to enter into new business relationships with customers or assess ongoing ones, according to the level of risk associated with each customer. Furthermore, the draft regulatory technical standards should provide sufficient clarity to allow market players to develop secure, accessible and innovative means of verifying customers’ identity and performing customer due diligence, including remotely, while respecting the principle of technology neutrality. Those specific tasks are in line with the role and responsibilities of AMLA as provided in Regulation (EU) 2024/1620.

The harmonisation of customer due diligence measures will contribute to achieving consistent, and consistently effective, understanding of the risks associated with an existing or prospective customer regardless of where the business relationship is opened in the Union. That harmonisation should also ensure that the information obtained in the performance of customer due diligence is not used by obliged entities to pursue de-risking practices which might result in circumventing other legal obligations, in particular those laid down in Directive 2014/92/EU of the European Parliament and of the Council(²⁴) or Directive (EU) 2015/2366, without achieving the Union’s objectives in the prevention of money laundering and terrorist financing. To enable the proper supervision of compliance with the customer due diligence obligations, it is important that obliged entities keep record of the actions undertaken and the information obtained during the customer due diligence process, irrespective of whether a new business relationship is established with them and of whether they have submitted a suspicious transaction report upon refusing to establish a business relationship. Where the obliged entity takes a decision to not enter into a business relationship with a prospective customer, or to terminate an existing business relationship, to refuse to carry out an occasional transaction, or to apply alternative measures to terminating a business relationship, the customer due diligence records should include the grounds for such a decision. That will enable supervisory authorities to assess whether obliged entities have appropriately calibrated their customer due diligence practices and how the entity’s risk exposure evolves, as well as help to build statistical evidence on the application of customer due diligence rules by obliged entities throughout the Union.

The approach for the review of existing customers in the current AML/CFT framework is already risk-based. However, given the higher risk of money laundering, its predicate offences and terrorist financing associated with certain intermediary structures, that approach might not allow for the timely detection and assessment of risks. It is therefore important to ensure that clearly specified categories of existing customers are also monitored on a regular basis.

Risk itself is variable in nature, and the variables, on their own or in combination, can increase or decrease the potential risk posed, thus having an impact on the appropriate level of preventive measures, such as customer due diligence measures.

In low risk situations, obliged entities should be able to apply simplified due diligence measures. That does not equate to an exemption or absence of customer due diligence measures. It rather consists of a simplified or reduced set of scrutiny measures, which should however address all components of the standard due diligence procedure. In line with the risk-based approach, obliged entities should nevertheless be able to reduce the frequency or intensity of their customer or transaction scrutiny, or rely on adequate assumptions with regard to the purpose of the business relationship or use of simple products. The regulatory technical standards on customer due diligence should set out the specific simplified measures that obliged entities are able to implement in the case of lower risk situations identified in the risk assessment at Union level conducted by the Commission. When developing draft regulatory technical standards, AMLA should have due regard to preserving social and financial inclusion.

It should be recognised that certain situations present a greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established with the regular application of customer due diligence measures, there are cases in which particularly rigorous customer identification and verification procedures are required. Therefore, it is necessary to lay down detailed rules on such enhanced due diligence measures, including specific enhanced due diligence measures for cross-border correspondent relationships.

Cross-border correspondent relationships with a third country’s respondent institution are characterised by their on-going, repetitive nature. Moreover, not all cross-border correspondent banking services present the same level of money laundering and terrorist financing risks. Therefore, the intensity of the enhanced due diligence measures should be determined by application of the principles of the risk-based approach. However, the risk-based approach should not be applied when interacting with a third country’s respondent institutions that have no physical presence where they are created, or with unregistered and unlicensed entities providing crypto-asset services. Given the high risk of money laundering and terrorist financing inherent in shell institutions, credit institutions and financial institutions should refrain from entertaining any correspondent relationship with such shell institutions, as well as with counterparts in third countries that allow their accounts to be used by shell institutions. To avoid misuse of the Union’s financial system to provide unregulated services, crypto-assets service providers should also ensure that their accounts are not used by nested exchanges and should have in place policies and procedures to detect any such attempt.

In the context of the performance of their oversight function, supervisors might identify situations where breaches of AML/CFT requirements by third-country respondent institutions, or weaknesses in their implementation of the AML/CFT requirements, cause risks to the Union’s financial system. In order to mitigate those risks, it should be possible for AMLA to address recommendations to credit institutions and financial institutions in the Union in order to inform them of its views regarding the deficiencies of those third-country respondent institutions. Those recommendations should be issued where AMLA and financial supervisors in the Union agree that the breaches and weaknesses in place in the third-country respondent institutions are likely to affect the risk exposure of correspondent relationships by credit institutions and financial institutions in the Union, and provided that the third-country respondent institution and its supervisor have had the opportunity to provide their views. In order to preserve the good functioning of the Union’s financial system, credit institutions and financial institutions should take adequate measures in response to recommendations by AMLA, including by abstaining from entering into or continuing a correspondent relationship unless they can put in place sufficient mitigating measures to address the risks posed by the correspondent relationship.

In the context of enhanced due diligence measures, obtaining approval from senior management for establishing business relationships does not need to imply, in all cases, obtaining approval from the board of directors. It should be possible for such approval to be granted by someone with sufficient knowledge of the entity’s money laundering and terrorist financing risk exposure and of sufficient seniority to take decisions affecting its risk exposure.

In order to protect the proper functioning of the Union’s financial system from money laundering and terrorist financing, the Commission should be empowered to adopt delegated acts to identify third countries whose shortcomings in their national AML/CFT regimes represent a threat to the integrity of the Union’s internal market. The changing nature of money laundering and terrorist financing threats from outside the Union, facilitated by a constant evolution of technology and of the means at the disposal of criminals, requires that quick and continuous adaptations of the legal framework as regards third countries be made in order to address efficiently existing risks and prevent new ones from arising. The Commission should take into account, as a baseline for its assessment, information from international organisations and standard setters in the field of AML/CFT, such as FATF public statements, mutual evaluation or detailed assessment reports or published follow-up reports, and adapt its assessments to the changes therein, where appropriate. The Commission should act within 20 days of ascertaining shortcomings in a third country’s AML/CFT regime that pose a threat to the integrity of the Union’s internal market.

Third countries which are ‘subject to a call for action’ by the relevant international standard-setter, namely the FATF, present significant strategic deficiencies of a persistent nature in their legal and institutional AML/CFT frameworks and their implementation which are likely to pose a high risk to the Union’s financial system. The persistent nature of those significant strategic deficiencies, reflective of the lack of commitment or continued failure by the third country to tackle them, signal a heightened level of threat emanating from those third countries, which requires an effective, consistent and harmonised mitigating response at Union level. Therefore, obliged entities should be required to apply the whole set of available enhanced due diligence measures to occasional transactions and business relationships involving those high-risk third countries to manage and mitigate the underlying risks. Furthermore, the high level of risk justifies the application of additional specific countermeasures, whether at the level of obliged entities or by the Member States. Such an approach would avoid divergence in the determination of the relevant countermeasures, which would expose the entirety of Union’s financial system to risks. Where Member States identify specific risks that are not mitigated, they should be able to apply additional countermeasures, in which case they should notify the Commission thereof. Where the Commission considers that those risks are of relevance for the internal market, it should be able to update the relevant delegated act to include the necessary additional countermeasures to mitigate those risks. Where the Commission considers that those countermeasures are not necessary and undermine the proper functioning of the Union’s internal market, it should be empowered to decide that the Member State put an end to the specific countermeasure. Prior to triggering the procedure for that decision, the Commission should provide an opportunity to the Member State concerned to submit its views on the consideration of the Commission. Given its technical expertise, AMLA can provide useful input to the Commission in identifying the appropriate countermeasures.

Compliance weaknesses in both the legal and institutional AML/CFT framework and its implementation in third countries which are subject to ‘increased monitoring’ by the FATF are susceptible to be exploited by criminals. This is likely to represent a risk for the Union’s financial system, and that risk needs to be managed and mitigated. The commitment of those third countries to address identified weaknesses, while not eliminating the risk, justifies a mitigating response less severe than that applicable to high-risk third countries. Where such third countries commit to address identified weaknesses, obliged entities should apply enhanced due diligence measures to occasional transactions and business relationships when dealing with natural persons or legal entities established in those third countries that are tailored to the specific weaknesses identified in each third country. Such granular identification of the enhanced due diligence measures to be applied would, in line with the risk-based approach, also ensure that the measures are proportionate to the level of risk. To ensure such consistent and proportionate approach, the Commission should be able to identify which specific enhanced due diligence measures are required in order to mitigate country-specific risks. Given AMLA’s technical expertise, it can provide useful input to the Commission to identify the appropriate enhanced due diligence measures.

Countries that are not publicly identified as subject to calls for actions or increased monitoring by the FATF might still pose a specific and serious threat to the integrity of the Union’s financial system, which could be due either to compliance weaknesses or to significant strategic deficiencies of a persistent nature in their AML/CFT regime. To mitigate those specific risks, that cannot be mitigated through measures applicable to countries with strategic deficiencies or countries with compliance weaknesses, it should be possible for the Commission to take action in exceptional circumstances by identifying such third countries, based on a clear set of criteria and with the support of AMLA. According to the level of risk posed to the Union’s financial system, the Commission should require the application either of all enhanced due diligence measures and country-specific countermeasures, in relation to high-risk third countries, or of country-specific enhanced due diligence measures, in relation to third countries with compliance weaknesses.

In order to ensure a consistent identification of third countries that pose a specific and serious threat to the Union’s financial system, while not being publicly identified as subject to calls for actions or increased monitoring by the FATF, the Commission should be able to set out, by means of an implementing act, the methodology for the identification in exceptional circumstances of such third countries. That methodology should include in particular how the criteria are to be assessed and the process for the interaction with such third countries and for the involvement of Member States and AMLA in the preparatory stages of such identification.

Considering that there could be changes to the AML/CFT frameworks of third countries identified under this Regulation, or in their implementation, for example as result of the country’s commitment to address the identified weaknesses or of the adoption of relevant AML/CFT measures to tackle them, which could change the nature and level of the risks emanating from them, the Commission should regularly review the identification of those specific enhanced due diligence measures in order to ensure that they remain proportionate and adequate.

Potential external threats to the Union’s financial system do not only emanate from third countries, but can also emerge in relation to specific customer risk factors or products, services, transactions or delivery channels which are observed in relation to a specific geographical area outside the Union. There is therefore a need to identify money laundering and terrorist financing trends, risks and methods to which Union’s obliged entities might be exposed. AMLA is best placed to detect any emerging money laundering and terrorist financing typologies from outside the Union, in order to monitor their evolution with a view to providing guidance to the Union’s obliged entities on the need to apply enhanced due diligence measures aimed at mitigating such risks.

Relationships with individuals who hold or who have held important public functions, within the Union or internationally, and in particular individuals from countries where corruption is widespread, could expose the financial sector to significant reputational and legal risks. The international effort to combat corruption also justifies the need to pay particular attention to such persons and to apply appropriate enhanced due diligence measures with respect to persons who are or who have been entrusted with prominent public functions and with respect to senior figures in international organisations. Therefore, it is necessary to specify measures which obliged entities should apply with respect to transactions or business relationships with politically exposed persons. To facilitate the risk-based approach, AMLA should be tasked with issuing guidelines on assessing the level of risks associated with a particular category of politically exposed persons, their family members or persons known to be close associates.

Risks associated with persons who are or who have been entrusted with prominent public functions are not limited to the national level but can also exist at regional or municipal levels. This is particularly true at the local level for densely populated areas, such as cities, which alongside the regional level often manage significant public funds and access to critical services or permits, with a resulting risk of corruption and associated money laundering. Therefore, it is necessary to include in the category of persons who are or who have been entrusted with prominent public functions the heads of regional and local authorities, including groupings of municipalities and metropolitan regions, with at least 50 000 inhabitants. At the same time, it should be acknowledged that the geography and administrative organisation of Member States vary significantly, and Member States should be able, where appropriate, to set a lower threshold to cover the relevant local authorities on the basis of risk. Where Member States decide to set lower thresholds, they should communicate those lower thresholds to the Commission.

Members of the administrative, management or supervisory bodies of enterprises controlled by the state or by regional or local authorities can also be exposed to risks of corruption and associated money laundering. Given the size of the budget of such enterprises and the funds under management, such risks are particularly acute in relation to senior executive members in enterprises controlled by the state. Risks can also arise in relation to enterprises of a significant size controlled by regional and local authorities. As a result, the senior executives in enterprises controlled by regional or local authorities should be considered as politically exposed persons where those enterprises qualify as medium-sized or large undertakings or groups as defined in Article 3 of Directive 2013/34/EU of the European Parliament and of the Council(²⁵). However, recognising the geographical and administrative organisational differences, and the powers and responsibilities associated with those enterprises and their senior executives, Member States should be able to choose to set a lower annual turnover threshold on the basis of risk. In such a case, Member States should notify the Commission of that decision.

In order to identify politically exposed persons in the Union, lists should be issued by Member States indicating the specific functions which, in accordance with national laws, regulations and administrative provisions, qualify as prominent public functions. Member States should request each international organisation accredited on their territories to issue and keep up-to-date a list of prominent public functions at that international organisation. The Commission should be tasked with compiling and issuing a list, which should be valid across the Union, as regards persons entrusted with prominent public functions in Union institutions or bodies. In order to ensure a harmonised approach to the identification and notification of prominent public functions, the Commission should be able to set out, by means of an implementing act, the format to be used for Member States’ notifications, and should be empowered to adopt delegated acts supplementing the categories of prominent public functions identified by this Regulation, where they are common across Member States.

Where customers are no longer entrusted with a prominent public function, they can still pose a higher risk, for example because of the informal influence they could still exercise, or because their previous and current functions are linked. It is essential that obliged entities take into consideration those continuing risks and apply one or more enhanced due diligence measures until such time that the individuals are deemed to pose no further risk, and in any case for not less than 12 months following the time when they cease to be entrusted with a prominent public function.

Insurance companies often do not have client relationships with beneficiaries of the insurance policies. However, they should be able to identify cases of higher risk, such as when the proceeds of the policy benefit a politically exposed person. To determine whether this is the case, the insurance policy should include reasonable measures to identify the beneficiary, as if that person were a new client. It should be possible for such measures to be taken at the time of the payout or at the time of the assignment of the policy, but not later.

Close private and professional relationships might be abused for money laundering and terrorist financing purposes. For that reason, measures concerning politically exposed persons should also apply to their family members and persons known to be close associates. Properly identifying family members and persons known to be close associates might depend on the socio-economic and cultural structure of the country of the politically exposed person. Against that background, AMLA should have the task of issuing guidelines on the criteria to use to identify persons who should be considered as close associates.

Relationships with family members which might be abused by politically exposed persons do not only cover those with parents and descendants but can also include those with siblings. This is particularly the case for categories of politically exposed persons who hold senior central government posts. In recognition, however, of differing socio-economic and cultural structures in existence at national level, which might influence the potential for abuse of sibling relationships, Member States should be able to apply a broader scope for the designation of siblings as family members of politically exposed persons to adequately mitigate the risks of abuse of those relationships. Where Member States decide to apply a broader scope, they should communicate the details of that broader scope to the Commission.

The requirements relating to politically exposed persons, their family members and persons known to be close associates are of a preventive and not criminal nature, and should not be interpreted as implying that politically exposed persons, their family members or close associates are involved in criminal activity. Refusing a business relationship with a person simply on the basis of a determination that they are a politically exposed person or a family member or a person known to be a close associate of a politically exposed person is contrary to the letter and spirit of this Regulation.

Given the vulnerability of residency-by-investment schemes to money laundering, tax crimes, corruption and the evasion of targeted financial sanctions, as well as the potential associated significant security threats for the Union as a whole, it is appropriate that obliged entities carry out, as a minimum, specific enhanced due diligence with respect to customers who are third-country nationals who are in the process of applying for residence rights in a Member State within the framework of those schemes.

The provision of personalised asset management services to individuals with a high level of wealth might expose credit institutions, financial institutions and trust or company service providers to specific risks including those arising from the complex and often personalised nature of such services. It is therefore necessary to specify a set of enhanced due diligence measures that should be applied, as a minimum, where such business relationships are deemed to pose a high risk of money laundering, its predicate offences or terrorist financing. The determination that a customer holds assets with a value of at least EUR 50 000 000, or the equivalent in national or foreign currency, takes into account financial and investable assets including cash and cash equivalents, whether held as deposits or in savings products, as well as investments such as stocks, bonds and mutual funds, even when they are held under long-term agreements with that obliged entity. Furthermore, the value of the customer’s real estate assets, excluding his or her private residence, should be taken into account. For the purposes of making that determination, credit institutions, financial institutions and trust or company service providers need not carry out or request a precise calculation of the customer’s total wealth. Rather, such entities should take measures to establish whether a customer holds assets with a value of at least EUR 50 000 000, or the equivalent in national or foreign currency, in financial, investable or real estate assets.

In order to avoid repeated customer identification procedures, it is appropriate, subject to suitable safeguards, to allow obliged entities to rely on the customer information collected by other obliged entities. Where an obliged entity relies on another obliged entity, the ultimate responsibility for customer due diligence should remain with the obliged entity which chooses to rely on the customer due diligence performed by another obliged entity. The obliged entity relied upon should also retain its own responsibility for compliance with AML/CFT requirements, including the requirement to report suspicious transactions and retain records.

The introduction of harmonised AML/CFT requirements across the Union, including with regard to group-wide policies and procedures, information exchange and reliance allows obliged entities operating within a group to leverage to the maximum the systems in place within that group in situations concerning the same customers. Those rules permit not only consistent and efficient implementation of AML/CFT rules across the group but also benefit from economies of scale at group level, for example by making it possible for obliged entities within the group to rely on the outcomes of processes adopted by other obliged entities within the group to comply with their customer identification and verification requirements.

In order for reliance on measures carried out by a third-party to function efficiently, further clarity is needed around the conditions according to which such reliance takes place. AMLA should have the task of developing guidelines on the conditions under which third-party reliance can take place, as well as the roles and responsibilities of the respective parties. To ensure that consistent oversight of reliance is ensured throughout the Union, those guidelines should also provide clarity on how supervisors should take into account such practices and verify compliance with AML/CFT requirements where obliged entities resort to those practices.

The concept of beneficial ownership was introduced to increase transparency of complex corporate structures. The need to access accurate, up-to-date and adequate information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind such opaque structures. Member States are currently required to ensure that corporate and other legal entities, as well as express trusts and other similar legal arrangements, obtain and hold adequate, accurate and up-to-date information on their beneficial ownership. However, the degree of transparency imposed by Member States varies. The rules are subject to divergent interpretations, and that results in different methods to identify beneficial owners of a given legal entity or legal arrangement. This is due, inter alia, to inconsistent methods of calculating indirect ownership of a legal entity or legal arrangement, and differences between the legal systems of the Member States. This hampers the transparency that was intended to be achieved. It is therefore necessary to clarify the rules to achieve a consistent definition of beneficial owner and its application across the internal market.

The application of the rules for identifying the beneficial ownership of legal entities, as well as of legal arrangements, can give rise to implementation questions when relevant stakeholders are confronted with concrete cases, especially in instances of complex corporate structures, where the criteria of ownership interest and control coexist, or for the purposes of determining indirect ownership or control. In order to support the application of those rules by legal entities, trustees or persons holding an equivalent position in similar legal arrangements and obliged entities, and consistent with the harmonisation goal of this Regulation, it should be possible for the Commission to adopt guidelines setting out how rules to identify the beneficial owners in different scenarios are to be applied, including through the use of case examples.

A meaningful identification of the beneficial owners requires a determination of whether control is exercised via other means. The determination of the existence of an ownership interest or of control through an ownership interest is necessary but not sufficient and it does not exclude the need for checks to determine the beneficial owners. The test as to whether any natural person exercises control via other means is not a subsequent test to be performed only where it is not possible to determine an ownership interest. The two tests, namely that of existence of an ownership interest or control through an ownership interest and that of control via other means, should be performed in parallel.

An ownership of 25 % or more of the shares or voting rights or other ownership interest in general establishes the beneficial ownership of a corporate entity. Ownership interest should encompass both control rights and rights that are significant in terms of receiving a benefit, such as a right to a share of profits or other internal resources or liquidation balance. There might, however, be situations where the risk of certain categories of corporate entities being misused for money laundering or terrorist financing purposes is higher, for example due to the specific higher risk sectors in which those corporate entities operate. In such situations, enhanced transparency measures are necessary to dissuade criminals from setting up or infiltrating those entities, either through direct or indirect ownership or control. In order to ensure that the Union is able to adequately mitigate such varying levels of risk, it is necessary to empower the Commission to identify those categories of corporate entities that should be subject to lower beneficial transparency thresholds. To that end, Member States should inform the Commission where they identify categories of corporate entities that are exposed to higher money laundering and terrorist financing risks. In those notifications, it should be possible for Member States to indicate a lower ownership threshold that they consider would mitigate those risks. Such identification should be ongoing and should rely on the results of the risk assessment at Union level and of the national risk assessment as well as on relevant analyses and reports produced by AMLA, Europol or other Union bodies that have a role in the prevention, investigation and prosecution of money laundering and terrorist financing. That lower threshold should be of a sufficiently low level to mitigate the higher risks that corporate entities be misused for criminal purposes. To that end, that lower threshold should in general not be set at more than 15 % of the shares or voting rights or other ownership interest. However, there might be cases in which, on the basis of a risk-sensitive assessment, a higher threshold would be more proportionate to address the identified risks. In those cases, it should be possible for the Commission to set the threshold between 15 % and 25 % of the ownership interest.

By their complex nature, multi-layered ownership and control structures make the identification of beneficial owners more difficult. The concept of ‘ownership or control structure’ is intended to describe the way in which a legal entity is indirectly owned or controlled, or in which a legal arrangement is indirectly controlled, as a result of the relationships that exist between legal entities or arrangements across multiple layers. In order to ensure a consistent approach throughout the internal market, it is necessary to clarify the rules that apply to those situations. For that purpose, it is necessary to assess simultaneously whether any natural person has a direct or indirect shareholding with 25 % or more of the shares or voting rights or other ownership interest, and whether any natural person controls the direct shareholder with 25 % or more of the shares or voting rights or other ownership interest in the corporate entity. In the case of indirect shareholding, the beneficial owners should be identified by multiplying the shares in the ownership chain. To that end, all shares directly or indirectly owned by the same natural person should be added together. That requires the shareholding on every level of ownership to be taken into account. Where 25 % of the shares or voting rights or other ownership interest in the corporate entity are owned by a shareholder that is a legal entity other than a corporate entity, the beneficial ownership should be determined having regard to the specific structure of the shareholder, including whether any natural person exercises control through other means over a shareholder.

The determination of the beneficial owner of a corporate entity in situations where the shares of the corporate entity are held in a legal arrangement, or where they are held by a foundation or similar legal entity, might be more difficult in view of the different nature and identification criteria of beneficial ownership between legal entities and legal arrangements. It is therefore necessary to set out clear rules to deal with those situations of multi-layered structure. In such cases, all beneficial owners of the legal arrangement, or of a similar legal entity such as a foundation, should be the beneficial owners of the corporate entity whose shares are held in the legal arrangement or held by the foundation.

A common understanding of the concept of control and a more precise definition of the means of control are necessary to ensure consistent application of the rules across the internal market. Control should be understood as the effective ability to impose one’s will on the corporate entity’s decision-making on substantive issues. The usual means of control is a majority share of voting rights. The position of beneficial owner can also be established by control via other means without having significant, or any, ownership interest. For that reason, in order to ascertain all individuals that are beneficial owners of a legal entity, control should be identified independently of ownership interest. Control can generally be exercised by any means, including legal and non-legal means. Those means might be taken into account for assessing whether control via other means is exercised, depending on the specific situation of each legal entity.

Indirect ownership or control might be determined by multiple links in a chain or by multiple individual or interlinked chains. A link in a chain could be any natural or legal person or a legal arrangement. The relationships between the links might consist of ownership interest or voting rights or other means of control. In such cases, where ownership interest and control coexist in the ownership structure, specific and detailed rules on the identification of the beneficial ownership are needed to support a harmonised approach to the identification of beneficial owners.

In order to ensure effective transparency, the widest possible range of legal entities and legal arrangements created or set up in the territory of Member States should be covered by beneficial ownership rules. That includes corporate entities, which are characterised by the possibility to hold ownership interest in them, as well as other legal entities and legal arrangements similar to express trusts. Due to differences in the legal systems of Member States, those broad categories encompass a variety of different organisational structures. Member States should notify to the Commission a list of the types of legal entities where the beneficial owners are identified in line with the rules for the identification of beneficial owners for both corporate and other legal entities.

The specific nature of certain legal entities, such as associations, trade unions, political parties or churches, does not result in a meaningful identification of beneficial owners based on ownership interests or membership. In those cases, however, it can be the case that the senior managing officials exercise control over the legal entity by other means. In those cases, such officials should be reported as the beneficial owners.

To ensure the consistent identification of beneficial owners of express trusts and similar legal entities, such as foundations, or similar legal arrangements, it is necessary to lay down harmonised beneficial ownership rules. Member States should be required to notify to the Commission a list of the types of legal entities and legal arrangements similar to express trusts where the beneficial owners are identified according to the identification of beneficial owners for express trusts and similar legal entities or arrangements. The Commission should be able to adopt, by means of an implementing act, a list of legal arrangements and legal entities governed by the law of Member States, which have a structure or function similar to express trusts.

Discretionary trusts allow their trustees discretion on the allocation of the trust assets or benefits derived from them. As such, no beneficiaries or class of beneficiaries is determined from the outset, but rather a pool of persons from among which the trustees can choose the beneficiaries, or persons who will become beneficiaries should the trustees not exercise their discretion. As recognised by the recent revision of FATF standards regarding legal arrangements, such discretion can be misused and allow for the obfuscation of beneficial owners if a minimum level of transparency is not imposed for discretionary trusts, as transparency on beneficiaries would only be achieved upon the exercise of the trustees’ discretion. Therefore, in order to ensure an adequate and consistent transparency for all types of legal arrangements, it is important that, in the case of discretionary trusts, information is also collected on the objects of a trustee’s power and on the default takers who would receive the assets or benefits if the trustees fail to exercise their discretion. There are situations where objects of a power or default takers might not be identified individually, but as a class. In those cases, information on the class should be collected, as well as information on the individual persons who are selected from the class.

The characteristics of express trusts and similar legal arrangements in Member States vary. In order to ensure a harmonised approach, it is appropriate to set out common principles for the identification of such arrangements. Express trusts are trusts set up at the initiative of the settlor. Trusts set up by law or that do not result from the explicit intent of the settlor to set them up should be excluded from the scope of this Regulation. Express trusts are usually set up in the form of a document such as a written deed or written instrument of trust, and usually fulfil a business or personal need. Legal arrangements similar to express trusts are arrangements without legal personality which are similar in structure or functions. The determining factor is not the designation of the type of legal arrangement, but the fulfilment of the basic features of the definition of an express trust, namely the settlor’s intention to place the assets under the administration and control of a certain person for specified purpose, usually of a business or personal nature, such as the benefit of the beneficiaries. To ensure the consistent identification of the beneficial owners of legal arrangements similar to express trusts, Member States should notify to the Commission a list of the types of legal arrangements similar to express trusts. Such notification should be accompanied by an assessment justifying the identification of certain legal arrangements as similar to express trusts as well as explaining why other legal arrangements have been considered to be dissimilar in structure or function from express trusts. In performing such assessment, Member States should take into consideration all legal arrangements that are governed under their law.

In relation to some types of legal entities, such as foundations, express trusts and similar legal arrangements, it is not possible to identify individual beneficiaries because they have yet to be determined. In such cases, beneficial ownership information should include instead a description of the class of beneficiaries and its characteristics. As soon as beneficiaries within the class are designated, they will be beneficial owners. Furthermore, there are specific types of legal persons and legal arrangements where beneficiaries exist, but where their identification is not proportionate in respect of the money laundering and terrorist financing risks associated with those legal persons or legal arrangements. That is the case in relation to regulated products such as pension schemes within the scope of Directive (EU) 2016/2341 of the European Parliament and of the Council(²⁶), and it could be the case, for example, in relation to employee financial ownership or participation schemes, or legal entities or legal arrangements with a non-profit or charitable purpose, provided the risks associated with such legal persons and legal arrangements are low. In those cases, an identification of the class of beneficiaries should be sufficient.

Pension schemes regulated by Directive (EU) 2016/2341 are regulated products which are subject to stringent supervisory standards and present low risks of money laundering and terrorist financing. Where such pension schemes are set up in the form of a legal arrangement, its beneficiaries are employees and workers who rely on those products, linked to their employment contracts, for the management of their retirement benefits. Due the specific nature of the retirement benefit, which carries a low risk of money laundering and terrorist financing, it would not be proportionate to require the identification of each of those beneficiaries, and the identification of the class and its characteristic should be sufficient to fulfil transparency obligations.

To ensure the consistent identification of beneficial owners of collective investment undertakings, it is necessary to lay down harmonised beneficial ownership rules. Regardless of whether the collective investment undertakings exist in the Member State in the form of a legal entity with legal personality, as a legal arrangement without legal personality, or in any other form, the approach to the identification of the beneficial owner should be consistent with their purpose and function.

A consistent approach to the beneficial ownership transparency regime also requires ensuring that the same information is collected on beneficial owners across the internal market. It is appropriate to introduce precise requirements concerning the information that should be collected in each case. That information includes a minimum set of personal data regarding the beneficial owner, information on the nature and extent of the beneficial interest held in the legal entity or legal arrangement, and information on the legal entity or legal arrangement, necessary to ensure the appropriate identification of the natural person who is the beneficial owner and the reasons why that natural person has been identified as the beneficial owner.

An effective framework of beneficial ownership transparency requires information to be collected through various channels. Such a multi-pronged approach includes the information held by the legal entity or trustee of an express trust or persons holding an equivalent position in a similar legal arrangement themselves, the information obtained by obliged entities in the context of customer due diligence, and the information held in central registers. Cross-checking of information among those pillars contributes to ensuring that each pillar holds adequate, accurate and up-to-date information. To that end, and in order to avoid discrepancies caused by different approaches, it is important to identify those categories of data that should always be collected in order to ensure the beneficial ownership information is adequate. That includes basic information on the legal entity and legal arrangement, which is the precondition allowing the entity or arrangement itself to understand its structure, whether through ownership or through control.

Where legal entities and legal arrangements are part of a complex structure, clarity on their ownership or control structure is critical in order to ascertain who their beneficial owners are. To that end, it is important that legal entities and legal arrangements clearly understand the relationships by which they are indirectly owned or controlled, including all intermediary steps between the beneficial owners and the legal entity or legal arrangement itself, whether those relationships are in the form of other legal entities and legal arrangements or of nominee relationships. Identification of the ownership and control structure allows identification of the ways by which ownership is established or control can be exercised over a legal entity and is therefore essential for a comprehensive understanding of the position of the beneficial owner. The beneficial owner information should therefore always include a description of the relationship structure.

Underpinning an effective framework on beneficial ownership transparency is the knowledge by legal entities of the natural persons who are their beneficial owners. Thus, all legal entities in the Union should obtain and hold adequate, accurate and up-to-date beneficial ownership information. That information should be retained for 5 years and the identity of the person responsible for retaining the information should be reported to the central registers. That retention period is equivalent to the period for retention of information obtained through the application of AML/CFT requirements, such as customer due diligence measures. In order to ensure the possibility to cross-check and verify information, for instance through the mechanism of discrepancy reporting, it is justified to ensure that the relevant data retention periods are aligned.

To ensure that beneficial ownership information is up-to-date, the legal entity should update such information immediately after any change and should periodically verify it, for example at the time of submission of the financial statements, or on the occasion of other repetitive interactions with public authorities. The deadline for updating the information should be reasonable in view of possible complex situations.

Legal entities should take all necessary measures to identify their beneficial owners. There might however be cases where no natural person is identifiable who ultimately owns or exerts control over an entity. In such exceptional cases, provided that all means of identification are exhausted, it should be possible for senior managing officials to be reported instead of the beneficial owners when providing beneficial ownership information to obliged entities in the course of the customer due diligence process or when submitting the information to the central register. Although they are identified in those situations, the senior managing officials are not the beneficial owners. Legal entities should keep records of the actions taken in order to identify their beneficial owners, especially when they rely on this last resort measure, which should be duly justified and documented.

Difficulties in obtaining the information should not be a valid reason to avoid the identification effort and resort to reporting the senior management instead. Therefore, legal entities should always be able to substantiate their doubts as to the veracity of the information collected. Such justification should be proportionate to the risk of the legal entity and the complexity of its ownership structure. In particular, the record of the actions taken should be promptly provided to competent authorities where required and, on a risk-sensitive basis, it should be possible for that record to include resolutions of the board of directors and minutes of their meetings, partnership agreements, trust deeds, informal arrangements determining powers equivalent to powers of attorney or other contractual agreements and documentation. In cases where the absence of beneficial owners is evident with respect to the specific form and structure of legal entity, the justification should be understood as a reference to that fact, namely that the legal entity does not have a beneficial owner due to its specific form and structure. Such absence of beneficial owners could arise, where, for example, there are no ownership interests in the legal entity or where the legal entity cannot be ultimately controlled by other means.

In view of the purpose of determining beneficial ownership, which is to ensure effective transparency of legal entities, it is proportionate to exempt certain entities from the obligation to identify their beneficial owner. Such a regime can only be applied to entities for which the identification and registration of their beneficial owners is not useful and where the similar level of transparency is achieved by means other than beneficial ownership. In that respect, bodies governed by public law of the Member States should not be obliged to determine their beneficial owner. Directive 2004/109/EC of the European Parliament and of the Council(²⁷) introduced strict transparency requirements for companies whose securities are admitted to trading on a regulated market. In certain circumstances, those transparency requirements can achieve an equivalent transparency regime to the beneficial ownership transparency rules set out in this Regulation. That is the case where control over the company is exercised through voting rights, and the ownership or control structure of the company only includes natural persons. In those circumstances, there is no need to apply beneficial ownership requirements to those listed companies. The exemption for legal entities from the obligation to determine their own beneficial owner and to register it should not affect the obligation of obliged entities to identify the beneficial owner of a customer when performing customer due diligence.

There is a need to ensure a level playing field among the different types of legal forms and to avoid the misuse of express trusts and legal arrangements, which are often layered in complex structures to further obscure beneficial ownership. Trustees of any express trust administered in a Member State, or established or residing in a Member State should thus be responsible for obtaining and holding adequate, accurate and up-to-date beneficial ownership information regarding the express trust, and for disclosing their status and providing that information to obliged entities carrying out customer due diligence. Any other beneficial owner of the express trust should assist the trustee in obtaining such information.

The nature of legal arrangements and the lack of publicity about their structures and purpose places a particular onus on the trustees, or persons in equivalent positions in similar legal arrangements, to obtain and hold all relevant information on the legal arrangement. Such information should enable an identification of the legal arrangement, the assets placed therein or administered through it, and any agent or service provider to the trust. In order to facilitate the activities of competent authorities in the prevention, detection and investigation of money laundering, its predicate offences and terrorist financing, it is important that trustees keep that information up-to-date and that they hold it for a sufficient amount of time after they cease their role as trustees or equivalent. The provision of a basic amount of information on the legal arrangement to obliged entities is also necessary to enable them to fully ascertain the purpose of the business relationship or occasional transaction involving the legal arrangement, adequately assess the associated risks, and implement commensurate measures to mitigate those risks.

In view of the specific structure of certain legal arrangements, and the need to ensure sufficient transparency about their beneficial ownership, such legal arrangements similar to express trusts should be subject to equivalent beneficial ownership requirements as those that apply to express trusts.

Nominee arrangements can allow the concealment of the identity of the beneficial owners, because a nominee might act as the director or shareholder of a legal entity while the nominator is not always disclosed. Those arrangements might obscure the beneficial ownership and control structure if beneficial owners do not wish to disclose their identity or role within them. There is thus a need to introduce transparency requirements in order to avoid such arrangements being misused and to prevent criminals from hiding behind persons acting on their behalf. The relationship between nominee and nominator is not determined by whether it has an effect on the public or third parties. Although nominee shareholders whose names appear in public or official records would formally have independent control over the company, it should be required to disclose whether they are acting on the instructions of someone else on the basis of a private agreement. Nominee shareholders and nominee directors of legal entities should maintain sufficient information on the identity of their nominator as well as of any beneficial owner of the nominator and disclose them as well as their status to the legal entities. The same information should also be reported by legal entities to obliged entities when customer due diligence measures are applied and to the central registers.

The risks posed by foreign legal entities and foreign legal arrangements which are misused to channel proceeds of funds into the Union’s financial system need to be mitigated. Since beneficial ownership standards in place in third countries might not be sufficient to allow for the same level of transparency and timely availability of beneficial ownership information as in the Union, there is a need to ensure adequate means to identify the beneficial owners of foreign legal entities or foreign legal arrangements in specific circumstances. Therefore, legal entities created outside the Union and express trusts or similar legal arrangements administered outside the Union or whose trustees or persons holding an equivalent position reside or are established outside the Union should be required to disclose their beneficial owners where they operate in the Union by entering into a business relationship with a Union’s obliged entity, by acquiring real estate in the Union or certain high value goods from obliged entities located in the Union, or by being awarded a contract following a public procurement procedure for goods or services, or concessions. There might be variations in the risk exposure across Member States, including depending on the category or type of activities carried out by obliged entities and on the attractiveness for criminals of real estate properties in their territory. Therefore, where Member States identify cases of higher risk, they should be able to take additional mitigating measures to address those risks.

The registration requirements for foreign legal entities and foreign legal arrangements should be proportionate to the risks associated with their operations in the Union. Given the open nature of the Union internal market, and the use made by foreign legal entities of the services offered by obliged entities established in the Union, many of which are associated with lower risks of money laundering, its predicate offences or terrorist financing, it is appropriate to limit the registration requirement to legal entities that belong to high-risk sectors or that operate in higher risk categories or that obtain services from obliged entities operating in sectors associated with higher risks. The private nature of legal arrangements, and the obstacles in accessing beneficial ownership information in the case of foreign legal arrangements, justify the application of a registration requirement irrespective of the level of risk associated with the obliged entity providing services to the legal arrangement, or, where relevant, with the sector in which the legal arrangement operates. Reference to the risk assessment at Union level under Article 7 of Directive (EU) 2024/1640 should be understood to refer to the risk assessment issued by the Commission pursuant to Article 6 of Directive (EU) 2015/849 until the first issuance of the report under Article 7 of Directive (EU) 2024/1640.

In order to encourage compliance and ensure an effective beneficial ownership transparency, beneficial ownership requirements need to be enforced. To that end, Member States should apply penalties for breaches of those requirements. Those penalties should be effective, proportionate and dissuasive, and should not go beyond what is required to encourage compliance. Penalties introduced by Member States should have an equivalent deterrent effect across the Union on the breaches of beneficial ownership requirements. It should be possible for penalties to include, for example, fines for legal entities and on trustees or persons holding an equivalent position in a similar legal arrangement imposed for failure to hold accurate, adequate or up-to-date beneficial ownership information, the striking-off of legal entities that fail to comply with the obligation to hold beneficial ownership information or to submit beneficial ownership information within a given deadline, fines for beneficial owners and other persons who fail to cooperate with a legal entity or trustee of an express trust or person holding an equivalent position in a similar legal arrangement, fines for nominee shareholders and nominee directors who fail to comply with the obligation of disclosure, or private law consequences for undisclosed beneficial owners as prohibition of the payment of profits or prohibition of the exercise of voting rights.

With a view to ensuring a consistent approach to the enforcement of beneficial ownership requirements across the internal market, the Commission should be empowered to adopt delegated acts to define the categories of breaches subject to penalties and the persons liable for such breaches, as well as indicators on the level of gravity and criteria to determine the level of penalties. Furthermore, in order to support the determination of that level, and consistent with the harmonisation goal of this Regulation, it should be possible for the Commission to adopt guidelines setting out the base amounts to apply to each category of breach.

Suspicious transactions, including attempted transactions, and other information relevant to money laundering, its predicate offences and terrorist financing, should be reported to the FIU, which should serve as a single central national unit for receiving and analysing reported suspicions and for disseminating to the competent authorities the results of its analyses. All suspicious transactions, including attempted transactions, should be reported, regardless of the amount of the transaction, and the reference to suspicions should be interpreted as including suspicious transactions, activities, behaviour and patterns of transactions. Reported information could also include threshold-based information. In order to support obliged entities’ detection of suspicions, AMLA should issue guidance on indicators of suspicious activity or behaviour. Given the evolving risk environment, that guidance should be reviewed regularly, and should not prejudge the issuance by FIUs of guidance or indicators on money laundering and terrorist financing risks and methods identified at national level. The disclosure of information to the FIU in good faith by an obliged entity or by an employee or director of such an entity should not constitute a breach of any restriction on disclosure of information and should not involve the obliged entity or its directors or employees in liability of any kind.

Obliged entities should establish comprehensive reporting regimes encompassing all suspicions, regardless of the value or perceived severity of the associated criminal activity. They should be aware of the expectations of FIUs and should, as far as possible, tailor their detection systems and analytical processes to the key risks affecting the Member State in which they are established and, where necessary, prioritise their analysis towards addressing those key risks.

Transactions should be assessed on the basis of information known or which should be known to the obliged entity. That includes relevant information from agents, distributors and service providers. Where the underlying predicate offence is not known or apparent to the obliged entity, the role of identifying and reporting suspicious transactions is fulfilled more efficiently by focusing on detecting suspicions and submitting reports promptly. In those cases, the predicate offence need not be specified by the obliged entity when reporting a suspicious transaction to the FIU, if it is not known to them. Where that information is available, it should be included in the report. As gatekeepers of the Union’s financial system, obliged entities should also be able to submit a report where they know or suspect that funds have been or will be used to carry out criminal activities, such as the purchase of illicit goods, even if the information available to them does not indicate that the funds used originate from illicit sources.

Differences in suspicious transaction reporting obligations between Member States could exacerbate the difficulties in AML/CFT compliance experienced by obliged entities that have a cross-border presence or operations. Moreover, the structure and content of the suspicious transaction reports have an impact on the FIU’s capacity to carry out analysis and on the nature of that analysis, and also affect the FIU’s abilities to cooperate and to exchange information. In order to facilitate obliged entities’ compliance with their reporting obligations and allow for a more effective functioning of the FIU’s analytical activities and cooperation, AMLA should develop draft implementing technical standards specifying a common template for the reporting of suspicious transactions to be used as a uniform basis throughout the Union.

FIUs should be able to obtain swiftly from any obliged entity all the necessary information relating to their functions. Their unfettered and swift access to information is essential to ensure that flows of money can be properly traced and illicit networks and flows detected at an early stage. The need for FIUs to obtain additional information from obliged entities based on a suspicion of money laundering or financing of terrorism might be triggered by a prior suspicious transaction report reported to the FIU, but might also be triggered through other means such as the FIU’s own analysis, intelligence provided by competent authorities or information held by another FIU. FIUs should therefore be able, in the context of their functions, to obtain information from any obliged entity, even without a prior report being made. In particular, records of financial transactions and transfers carried out through a bank, payment or crypto-asset account are critical for the analytical work of FIUs. However, due to the lack of harmonisation, at present credit institutions and financial institutions provide FIUs with transaction records in different formats, which are not readily useable for analysis. Considering the cross-border nature of FIUs’ analytical activities, the disparity of formats and difficulties of processing transaction records hamper the exchange of information among FIUs and the development of cross-border financial analyses. AMLA should therefore develop draft implementing technical standards specifying a common template for the provision of transaction records by credit institutions and financial institutions to FIUs to be used as a uniform basis throughout the Union.

Obliged entities should reply to a request for information by the FIU as soon as possible and, in any case, within 5 working days of receipt of the request or any other shorter or longer deadline imposed by the FIU. In justified and urgent cases, the obliged entity should reply to the FIU’s request within 24 hours. Those deadlines should apply to information requests that are based on sufficiently defined conditions. An FIU should also be able to obtain information from obliged entities upon request made by another FIU and to exchange the information with the requesting FIU. Requests to obliged entities vary in nature. For example, complex requests might necessitate more time and warrant an extended deadline for response. To that end, FIUs should be able to grant extended deadlines to obliged entities, provided that does not have a negative impact on the FIU’s analysis.

For certain obliged entities, Member States should have the possibility to designate an appropriate self-regulatory body to be informed in the first instance instead of the FIU. In accordance with the case-law of the European Court of Human Rights, a system of first instance reporting to a self-regulatory body constitutes an important safeguard for upholding the protection of fundamental rights as concerns the reporting obligations applicable to lawyers. Member States should provide for the means and manner by which to achieve the protection of professional secrecy, confidentiality and privacy.

Notaries, lawyers, other independent legal professionals, auditors, external accountants and tax advisors should not be obliged to transmit to the FIU or to a self-regulatory body any information received from, or obtained in relation to, one of their clients in the course of ascertaining the legal position of that client, or in performing the task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, whether such information is received or obtained before, during or after such proceedings. However, such an exception should not apply where the legal professional, auditor, external accountant or tax advisor is taking part in money laundering or terrorist financing, the legal advice is provided for the purposes of money laundering or terrorist financing, or where the legal professional, auditor, external accountant or tax advisor knows that the client is seeking legal advice for the purposes of money laundering or terrorist financing. Such knowledge and purpose can be inferred from objective, factual circumstances. Legal advice sought in relation to ongoing judicial proceedings should not be deemed to constitute legal advice for the purposes of money laundering of terrorist financing. In line with the risk-based approach, Member States should be able to identify additional situations where, having regard to the high risk of money laundering, its predicate offences or terrorist financing associated with certain types of transactions, the exemption from the reporting requirement does not apply. When identifying such additional situations, Member States are to ensure compliance in particular with Articles 7 and 47 of the Charter.

Obliged entities should exceptionally be able to carry out suspicious transactions before informing the FIU where refraining from doing so is impossible or likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering or terrorist financing operation. However, that exception should not be invoked in relation to transactions concerned by any international obligations accepted by the Member State of the FIU to freeze without delay funds or other assets of terrorists, terrorist organisations or those who finance terrorism, in accordance with the relevant UNSC resolutions.

Confidentiality in relation to the reporting of suspicious transactions and to the provision of other relevant information to FIUs is essential in order to enable the competent authorities to freeze and seize assets potentially linked to money laundering, its predicate offences or terrorist financing. A suspicious transaction is not an indication of criminal activity. Disclosing that a suspicion has been reported might tarnish the reputation of the persons involved in the transaction and jeopardise the performance of analyses and investigations. Therefore, obliged entities and their directors and employees, or persons in comparable positions, including agents and distributors, should not inform the customer concerned or a third party that information is being, will be or has been submitted to the FIU, whether directly or through the self-regulatory body, or that a money laundering or terrorist financing analysis is being, or might be, carried out. The prohibition of disclosure should not apply in specific circumstances concerning, for example, disclosures to competent authorities and self-regulatory bodies when performing supervisory functions, or disclosures for law enforcement purposes or where the disclosures take place between obliged entities that belong to the same group.

Criminals move illicit proceeds through numerous intermediaries to avoid detection. Therefore it is important to allow obliged entities to exchange information not only between group members, but also in certain cases between credit institutions and financial institutions and other entities that operate within networks, with due regard to data protection rules. Outside of a partnership for information sharing, the disclosure permitted among certain categories of obliged entities in cases involving the same transaction should only take place with regard to the specific transaction that is carried out between or facilitated by those obliged entities, and not with regard to connected previous or subsequent transactions.

The exchange of information among obliged entities and, where applicable, competent authorities, might increase the possibilities for detecting illicit financial flows concerning money laundering, the financing of terrorism and proceeds of crime. For that reason, obliged entities and competent authorities should be able to exchange information in the framework of an information sharing partnership where they deem such sharing to be necessary for compliance with their AML/CFT obligations and tasks. Information sharing should be subject to robust safeguards relating to confidentiality, data protection, use of information and criminal procedure. Obliged entities should not rely solely on information received through the exchange of information to draw conclusions on the money laundering and terrorist financing risk of the customer or transaction or to take decisions regarding the establishment or termination of a business relationship or the carrying out of a transaction. As recognised in Directive 2014/92/EU, the smooth functioning of the internal market and the development of a modern, socially inclusive economy increasingly depends on the universal provision of payment services. Therefore, access to basic financial services should not be denied on the basis of information exchanged among obliged entities or between obliged entities and competent authorities or AMLA.

Compliance with the requirements of this Regulation is subject to checks by supervisors. Where obliged entities exchange information in the framework of a partnership for information sharing, those checks should also include compliance with the conditions laid down in this Regulation for those exchanges of information. While supervisory checks should be risk-based, they should be performed in any event prior to the commencement of the activities of the partnership for information sharing. Partnerships for information sharing that involve the processing of personal data might result in a high risk to the rights and freedoms of natural persons. Therefore, a data protection impact assessment pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council(²⁸) should be carried out prior to the start of the activities of the partnership. In the context of supervisory checks, supervisors should consult, where relevant, data protection authorities, which alone are competent for assessing the data protection impact assessment. The data protection provisions and all requirements concerning the confidentiality of information on suspicious transactions contained in this Regulation apply to information shared in the framework of a partnership. Consistent with Regulation (EU) 2016/679, Member States should be able to maintain or introduce more specific provisions to adapt the application of that Regulation to provide more specific requirements in relation to the processing of personal data exchanged in the framework of a partnership for information sharing.

While partnerships for information sharing enable the exchange of operational information and personal data under strict safeguards, those exchanges should not replace the requirements under this Regulation to report any suspicion to the competent FIU. Therefore, when obliged entities identify suspicious activities on the basis of information obtained in the context of a partnership for information sharing, they should report that suspicion to the FIU in the Member State where they are established. Information that indicates suspicious activity is subject to stricter rules that prohibit its disclosure and should only be shared where necessary for the purposes of preventing and combating money laundering, its predicate offences and terrorist financing and subject to safeguards protecting fundamental rights, the confidentiality of FIU work and the integrity of law enforcement investigations.

Regulation (EU) 2016/679 applies to the processing of personal data for the purposes of this Regulation. The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States. Obliged entities should pay particular attention to the principles requiring that the personal data processed in the course of compliance with their AML/CFT obligations be accurate, reliable and up-to-date. For the purposes of complying with this Regulation, obliged entities should be able to adopt processes that enable automated individual decision-making, including profiling, as set out under Article 22 of Regulation (EU) 2016/679. When doing so, the requirements set out in this Regulation to safeguard the rights of persons subject to such processes should apply in addition to any other relevant requirements set out in Union law concerning the protection of personal data.

It is essential that the alignment of the AML/CFT framework with the revised FATF Recommendations is carried out in full compliance with Union law, in particular as regards Union data protection law and the protection of fundamental rights as enshrined in the Charter. Certain aspects of the implementation of the AML/CFT framework involve the collection, analysis, storage and sharing of data. Such processing of personal data should be permitted, while fully respecting fundamental rights, only for the purposes laid down in this Regulation, and for carrying out customer due diligence, ongoing monitoring, analysis and reporting of suspicious transactions, identification of the beneficial owner of a legal person or legal arrangement, identification of a politically exposed person and sharing of information by credit institutions and financial institutions and other obliged entities. The collection and subsequent processing of personal data by obliged entities should be limited to what is necessary for the purpose of complying with AML/CFT requirements and personal data should not be further processed in a way that is incompatible with that purpose. In particular, further processing of personal data for commercial purposes should be strictly prohibited.

The processing of certain categories of sensitive data as defined under Article 9 of Regulation (EU) 2016/679 could give rise to risks to the fundamental rights and freedoms of the subjects of those data. To minimise the risks that the processing of such data by obliged entities results in discriminatory or biased outcomes that adversely impact the customer, such as the termination or refusal to enter into a business relationship, obliged entities should not take decisions solely on the basis of information in their possession concerning special categories of personal data within the meaning of Regulation (EU) 2016/679 where that information bears no relevance to the money laundering and terrorist financing risks posed by a transaction or relationship. Similarly, in order to ensure that the intensity of customer due diligence is based on a holistic understanding of the risks associated with the customer, obliged entities should not base the application of a higher or lower level of customer due diligence measures solely on the basis of sensitive data that they possess on the customer.

The revised FATF Recommendations demonstrate that, in order to be able to cooperate fully and comply swiftly with information requests from competent authorities for the purposes of the prevention, detection or investigation of money laundering and terrorist financing, obliged entities should maintain, for at least 5 years, the necessary information obtained through customer due diligence measures and the records on transactions. In order to avoid different approaches and in order to fulfil the requirements relating to the protection of personal data and legal certainty, that retention period should be fixed at 5 years after the end of a business relationship or an occasional transaction. There might be situations where the functions of competent authorities cannot be effectively carried out if the relevant information held by obliged entities is deleted pursuant to the lapse of the retention period. In such cases, competent authorities should be able to request obliged entities to retain information on a case-by-case basis for a longer period, which should not exceed 5 years.

Where the notion of competent authorities refers to investigating and prosecuting authorities, it should be interpreted as including the European Public Prosecutor’s Office (EPPO) with regard to the Member States that participate in the enhanced cooperation on the establishment of the EPPO.

Disseminations by FIUs play a crucial role in detecting possible criminal activities under the competence of the EPPO or the European Anti-Fraud Office (OLAF), or in relation to which Europol and Eurojust are able to provide operational support at an early stage in accordance with their respective mandates, and to support prompt and effective investigations and prosecutions. Information shared with the EPPO and OLAF by FIUs should include grounds for the suspicion that a crime under the EPPO’s and OLAF’s respective competencies might be or has been perpetrated, and be accompanied by all relevant information that the FIU holds and which can support action, including relevant financial and administrative information. Where the EPPO and OLAF request information from FIUs, it is equally important that FIUs are able to share all the information they hold in relation to the case. In accordance with the applicable provisions in their founding legal instruments, the EPPO and OLAF should inform FIUs about the steps taken in relation to the information that was disseminated and any relevant outcomes.

For the purpose of ensuring the appropriate and efficient administration of justice during the period between the entry into force and application of this Regulation, and in order to allow for its smooth interaction with national procedural law, information and documents pertinent to ongoing legal proceedings for the purpose of the prevention, detection or investigation of possible money laundering or terrorist financing, where those proceedings are pending in the Member States on the date of entry into force of this Regulation, should be retained for a period of 5 years after that date, and it should be possible to extend that period for a further 5 years.

The rights of access to data by the data subject are applicable to the personal data processed for the purpose of this Regulation. However, access by the data subject to any information related to a suspicious transaction report would seriously undermine the effectiveness of the fight against money laundering and terrorist financing. Exceptions to and restrictions of that right in accordance with Article 23 of Regulation (EU) 2016/679 might therefore be justified. The data subject has the right to request that an authority referred to in Article 51 of Regulation (EU) 2016/679 check the lawfulness of the processing and has the right to seek a judicial remedy referred to in Article 79 of that Regulation. That authority is also able to act on an ex officio basis where provided for under Regulation (EU) 2016/679. Without prejudice to the restrictions to the right to access, the supervisory authority should be able to inform the data subject that all necessary verifications by the supervisory authority have taken place, and of the result as regards the lawfulness of the processing in question.

Obliged entities might resort to the services of other private operators. However, the AML/CFT framework should apply to obliged entities only, and obliged entities should retain full responsibility for compliance with AML/CFT requirements. In order to ensure legal certainty and to avoid that some services are inadvertently brought into the scope of this Regulation, it is necessary to clarify that persons that merely convert paper documents into electronic data and are acting under a contract with an obliged entity, and persons that provide credit institutions or financial institutions solely with messaging or other support systems for transmitting funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 or with clearing and settlement systems, do not fall within the scope of this Regulation.

Obliged entities should obtain and hold adequate and accurate information on the beneficial ownership and control of legal persons. As bearer shares accord ownership to the person who possesses the bearer share certificate, they allow the beneficial owner to remain anonymous. To ensure that such shares are not misused for money laundering or terrorist financing purposes, companies — other than those with listed securities on a regulated market or whose shares are issued as intermediated securities — should convert all existing bearer shares into registered shares, immobilise them, or deposit them with a financial institution. In addition, bearer share warrants should only be permitted in intermediated form.

The anonymity of crypto-assets exposes them to risks of misuse for criminal purposes. Anonymous crypto-asset accounts, as well as other anonymising instruments, do not allow the traceability of crypto-asset transfers, and make it difficult to identify linked transactions that might raise suspicion or to apply an adequate level of customer due diligence. In order to ensure effective application of AML/CFT requirements to crypto-assets, it is necessary to prohibit the provision and the custody of anonymous crypto-asset accounts or accounts allowing for the anonymisation or the increased obfuscation of transactions by crypto-asset service providers, including through anonymity-enhancing coins. That prohibition does not apply to providers of hardware and software or providers of self-hosted wallets insofar as they do not possess access to or control over those crypto-asset wallets.

The use of large cash payments is highly vulnerable to money laundering and terrorist financing, and that vulnerability has not been sufficiently mitigated by the requirement for persons trading in goods to be subject to anti-money laundering rules when making or receiving cash payments of EUR 10 000 or more. At the same time, differences in approaches among Member States have undermined the level playing field within the internal market to the detriment of businesses located in Member States with stricter controls. It is therefore necessary to introduce a Union-wide limit to large cash payments of EUR 10 000. Member States should be able to adopt lower thresholds and further stricter provisions to the extent that they pursue legitimate objectives in the public interest. Given that the AML/CFT framework is based on the regulation of the business economy, the limit should not apply to payments between natural persons who are not acting in a professional capacity. In addition, in order to ensure that the Union-wide limit does not unintentionally create barriers for persons who do not use or do not have access to banking services to make payments, or for business to deposit the income from their activities in their accounts, payments or deposits made at the premises of credit institutions, payment institutions or electronic money institutions should also be exempted from the application of the limit.

Cash payments or deposits made at the premises of credit institutions, payment service providers and electronic money providers that exceed the threshold for large cash payments should not, by default, be considered an indicator for suspicion of money laundering, its predicate offences or terrorist financing. The reporting of such transactions enables the FIU to assess and identify patterns concerning the movement of cash and, while such information contributes to the FIU’s operational or strategic analyses, the nature of threshold-based disclosures makes them distinct from suspicious transaction reports. To that effect, threshold-based disclosures do not replace the requirement to report suspicious transactions or to apply enhanced due diligence measures in cases of higher risk. It should be possible for FIUs to require the reports to be made within a specific deadline, which could include the periodic submission on an aggregated basis.

There might be cases where reasons of force majeure, such as those caused by natural catastrophes, result in a widespread loss of access to payment mechanisms other than cash. In such cases, Member States should be able to suspend the application of the limit on large cash payments. Such a suspension is an extraordinary measure and should only be applied where necessary as a response to exceptional, duly justified, situations. An impossibility to access financial services does not constitute a valid ground for the suspension of the limit where it is attributable to a Member State’s failure to guarantee that consumers have access to financial infrastructure across the entirety of its territory.