AMLA’s Draft RTS on group-wide requirements and third country measures

Pursuant to the new EU AML reform package, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (“AMLA”) opened a public consultation on 16 April 2026 on its draft regulatory technical standards on group-wide minimum requirements and additional measures for subsidiaries and branches in third countries under Articles 16(4) and 17(3) of the Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) (“AMLR“) (the “Draft RTS”).  The Draft RTS are Level 2 measures, being technical in nature and are adopted by the European Commission as delegated acts.  This follows previous consultations on the Draft RTS by the European Banking Authority (“EBA”) which focussed on the financial sector.

As part of the consultation process, a public hearing was held on 20 May 2026.  AMLA will consider the feedback when preparing its submission to the European Commission by 30 September 2026.

The Draft RTS

The Draft RTS, which form part of the EU’s AML/CFT reform package and will have a general application date of 10 July 2027, aim to develop a harmonised approach regarding the design and implementation of group-wide AML / CFT frameworks, including their application in cross-border group structures and where branches or subsidiaries operate in third countries.  These policies and procedures are required to be implemented effectively at the level of branches and subsidiaries outside the EU.  Where branches or subsidiaries are located in third countries in which local law does not permit the application of some or all of the group’s AML/CFT policies, for example, because the sharing of customer information within the group conflicts with local data protection requirements, then one or more of the nine additional measures set out in Article 15 of the Draft RTS are required to be taken on a risk-sensitive basis.

The requirement to implement group-wide AML/CFT policies and procedures, including policies and procedures for sharing information within the group, is already a requirement of the Fourth AML Directive and, in Ireland, is implemented under Chapter 7 (Special provisions applying to credit and financial institutions) of the Criminal Justice (Money laundering and terrorist Financing) Act 2010 (as amended) under sections 57 and 57A (the “2010 Act”).

The approach in the Draft RTS places a strong emphasis on proportionality and ensures continuity with the existing regulatory framework while updating it to reflect the broader scope and supervisory architecture introduced by the AMLR.  More specifically, the Draft RTS extend the equivalent third-country additional measures framework to all ‘obliged entities’ under Article 3 of the AMLR thereby encompassing non-financial sector entities that are not currently subject to the prescriptive requirements of the existing directly applicable Level 2 measure governing third-country additional measures Commission Delegated Regulation (EU) 2019/758 – namely, Commission Delegated Regulation (EU) 2019/758. The latter will be repealed with effect from 10 July 2027 upon entry into application of the Draft RTS. In addition, the Draft RTS introduce binding minimum content requirements for group-wide policies, procedures and controls. Therefore, where parent undertakings or in-scope entities (“Obliged Entities“) fall within the scope of the Draft RTS, such Obliged Entities will be required to implement group-wide AML/CFT policies, procedures and controls across the group, and where branches or subsidiaries are located in third countries whose law prevents full compliance, to take additional measures to ensure that those branches and subsidiaries effectively handle the ML/TF risk.

We note that section 57 of the 2010 Act applies to any designated person that forms part of a group –  a category which includes credit institutions and financial institutions, auditors, tax advisers, relevant independent legal professionals, trust or company service providers, and property service providers, among others.

AMLR

Article 16 of the AMLR outlines the obligations for group-wide AML/CFT frameworks; which requires parent undertakings, to perform a group-wide risk assessment, taking into account the business-wide risk assessment performed by all branches and subsidiaries of the group, and establish and implement group-wide uniform policies, controls and procedures.  It also mandates the establishment of a group compliance function, effective information sharing within group entities and the adoption of an annual report on the implementation of these group-wide policies, controls and procedures.

Article 16(4) of the AMLR mandates AMLA to develop draft RTS specifying:

• the minimum requirements of group-wide policies, procedures and controls, including minimum standards for information sharing within the group;
• the criteria for identifying the parent undertaking in the cases covered by Article 2(1), point (42)(b) of the AMLR (i.e., where two or more obliged entities established in the Union belong to a common head office located outside the Union and are not in a parent-subsidiary relationship with each other); and
• the conditions under which the provisions of this article apply to entities that are part of structures which share common ownership, management or compliance control, including networks or partnerships, as well as the criteria for identifying the parent undertaking in the European Union (“EU”) in those cases.

Article 17 of the AMLR requires Obliged Entities to implement additional measures where legal or regulatory restrictions in a third country prevent compliance with the AMLR, and to inform the supervisor of the home Member State of such impediments.  In certain circumstances, supervisors of the home Member State may require the implementation of further supervisory actions, including restrictions on business relationships, the termination of transactions, or the closure of operations in the relevant third country.

Article 17(3) of the AMLR complements the group-wide framework established under Article 16 of the AMLR, and mandates AMLA to develop draft RTS specifying:

• the type of additional measures to be taken by Obliged Entities where the law of a third country prevents compliance with the AMLR;
• the minimum actions that must be implemented in such circumstances; and
• the additional supervisory actions that may be applied by supervisors where the additional measures taken by Obliged Entities in these circumstances are insufficient.

A key distinction between Articles 16 and 17 is that the draft RTS provisions associated with Article 16 of the AMLR encompass a broad range of configurations of group and structures, whereas provisions related to Article 17 of the AMLR are limited in scope and apply exclusively to groups comprising branches and/or subsidiaries in third countries.  The criteria for determining when structures other than groups are required to apply group-equivalent requirements are based on the conditions that such structures have common ownership, management or compliance control.

Some of the key elements of the Draft RTS are as follows:

1. Focus on proportionality and simplification: AMLA proposes to address both mandates by way of a single set of RTS to address the mandates under Articles 16(4) and 17(3) of the AMLR. In line with the principle of proportionality, the Draft RTS clarify that the adoption of group-wide requirements should be aligned to the size and complexity of groups and structures, providing rules of general application to all types of business models.
2. Minimum requirements regarding group-wide policies, procedures and controls: Article 16 of the AMLR provides that, in the case of a group, the parent undertaking in the EU shall ensure that the requirements to have in place internal policies, procedures and controls, as well as on business-wide risk assessment (detailed in articles 9 and 10 of the AMLR) apply in all branches and subsidiaries.  Group-wide internal policies must be formally documented and approved by the management body of the parent undertaking. Group-wide procedures and controls shall be approved at least at the level of the group compliance manager. All group-wide policies, procedures and controls must be kept up to date and made available to supervisors upon request.
3. Information sharing within a group: In line with the EBA response to the Commission’s call for advice issued in October 2025, the Draft RTS sets out a balanced approach that allows group entities to share customer information, suspicious transaction data, information on transactions, services, and activities; certain risk assessments, suspicious transaction and activity reporting data—whilst at all times being subject to the applicable data protection laws and regulations, especially for transfers to third countries.  Obliged Entities are required to define the conditions under which information must be shared between group entities. At a minimum, this includes situations where a common customer or beneficial owner or customers belonging to the same group exist across at least two Obliged Entities of the group.
4. Legal impediments affecting branches and subsidiaries in third countries: Where the law of a third country does not permit compliance with the AMLR, parent undertakings or Obliged Entities are required to implement additional measures to ensure that branches and subsidiaries effectively manage Money Laundering / Terrorist Financing risks. The Draft RTS build on the framework established by Commission Delegated Regulation (EU) 2019/758, which  supplements the Fourth EU Money Laundering Directive, extending its scope to all Obliged Entities under the AMLR, including the non-financial sectors. The draft RTS introduce provisions on additional supervisory actions and establish a structured escalation framework to be applied where supervisors determine, following a supervisory assessment, that the measures taken are insufficient to effectively manage the risk.  This can range from the supervisors requiring corrective measures to closure of some or all operations in the affected jurisdiction. In all cases where an impediment is identified, the parent undertaking or Obliged Entity must notify the supervisor of the home Member State without undue delay, and in any case no later than 28 calendar days after identifying the relevant restriction or prohibition.
5. Criteria for identifying the parent undertaking in the EU: The Draft RTS outline quantitative and qualitative criteria for identifying the parent undertaking in the EU in cases where two or more Obliged Entities belong to a head office in a third country.  In order to ensure that the designated parent undertaking is in fact the entity best positioned to enforce AML/CFT measures across the group, the determination focuses on operational control and risk management capacity.  Entities that qualify as parent undertaking are required to notify their supervisors without undue delay and in any case no later than 28 calendar days after such determination. The home supervisor will have a period of two months from receipt of the complete notification to reach a decision on the identification of the parent undertaking in the Union.
6. Conditions for the application of group-wide requirements to structure sharing common ownership, management or compliance controls: The Draft RTS provide for the extension of group-wide equivalent requirements to structures other than “groups” (as defined under accounting or prudential rules) that exhibit characteristics that necessitate similar AML/CFT requirements. The Draft RTS are specifically designed to provide Obliged Entities, particularly those in the non-financial sector, with clear and actionable provisions to determine whether they fall within the scope of these provisions. It is important that these measures deliver

In addition to defining the scope of application of group-wide equivalent requirements to certain structures, the Draft RTS also provide criteria for identifying parent undertaking in the Union for these structures. Interestingly, in specific cases this may result in the parent undertaking being a non-Obliged Entity where it is determined that it is the best placed entity in the structure to implement group-wide AML/CFT measures. As above, the Draft RTS introduce a notification requirement to the supervisors.

The consultation responses will be made available on the AMLA’s website and a final report will be published.  We will continue to monitor developments and, in the meantime, if you have any queries about this update, please contact partners Joe Beashel, Niamh Mulholland or Ian O’Mara or your usual contact in the Financial Institutions Group at Matheson.