02015L0849 — EN — 30.12.2024 — 004.001 — 1

This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability

for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official

Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links

embedded in this document

►B

DIRECTIVE (EU) 2015/849 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 20 May 2015

on the prevention of the use of the financial system for the purposes of money laundering or

terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the

Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and

Commission Directive 2006/70/EC

(Text with EEA relevance)

(OJ L 141, 5.6.2015, p. 73)

Amended by:

Official Journal

No

page

date

Directive (EU) 2018/843 of the European Parliament and of the L 156

Council of 30 May 2018

19.6.2018

Directive (EU) 2019/2177 of the European Parliament and of the L 334

Council of 18 December 2019

155

1

27.12.2019

9.6.2023

Regulation (EU) 2023/1113 of the European Parliament and of the L 150

Council of 31 May 2023

Directive (EU) 2024/1640 of the European Parliament and of the L 1640

Council of 31 May 2024

1

19.6.2024

02015L0849 — EN — 30.12.2024 — 004.001 — 2

▼B

DIRECTIVE (EU) 2015/849 OF THE EUROPEAN PARLIAMENT

AND OF THE COUNCIL

of 20 May 2015

on the prevention of the use of the financial system for the purposes

of money laundering or terrorist financing, amending

Regulation (EU) No 648/2012 of the European Parliament and of

the Council, and repealing Directive 2005/60/EC of the European

Parliament and of the Council and Commission Directive

2006/70/EC

(Text with EEA relevance)

CHAPTER I

GENERAL PROVISIONS

SECTION 1

Subject-matter, scope and definitions

Article 1

1.

This Directive aims to prevent the use of the Union's financial

system for the purposes of money laundering and terrorist financing.

2.

Member States shall ensure that money laundering and terrorist

financing are prohibited.

3.

For the purposes of this Directive, the following conduct, when

committed intentionally, shall be regarded as money laundering:

(a) the conversion or transfer of property, knowing that such property is

derived from criminal activity or from an act of participation in such

activity, for the purpose of concealing or disguising the illicit origin

of the property or of assisting any person who is involved in the

commission of such an activity to evade the legal consequences of

that person's action;

(b) the concealment or disguise of the true nature, source, location,

disposition, movement, rights with respect to, or ownership of,

property, knowing that such property is derived from criminal

activity or from an act of participation in such an activity;

(c) the acquisition, possession or use of property, knowing, at the time

of receipt, that such property was derived from criminal activity or

from an act of participation in such an activity;

(d) participation in, association to commit, attempts to commit and

aiding, abetting, facilitating and counselling the commission of

any of the actions referred to in points (a), (b) and (c).

02015L0849 — EN — 30.12.2024 — 004.001 — 3

▼B

4.

Money laundering shall be regarded as such even where the

activities which generated the property to be laundered were carried

out in the territory of another Member State or in that of a third country.

5.

For the purposes of this Directive, ‘terrorist financing’ means the

provision or collection of funds, by any means, directly or indirectly,

with the intention that they be used or in the knowledge that they are to

be used, in full or in part, in order to carry out any of the offences

within the meaning of Articles 1 to 4 of Council Framework Decision

2002/475/JHA (¹).

6.

Knowledge, intent or purpose required as an element of the

activities referred to in paragraphs 3 and 5 may be inferred from

objective factual circumstances.

Article 2

1.

This Directive shall apply to the following obliged entities:

(1) credit institutions;

(2) financial institutions;

(3) the following natural or legal persons acting in the exercise of their

professional activities:

▼M1

(a) auditors, external accountants and tax advisors, and any other

person that undertakes to provide, directly or by means of other

persons to which that other person is related, material aid,

assistance or advice on tax matters as principal business or

professional activity;

▼B

(b) notaries and other independent legal professionals, where they

participate, whether by acting on behalf of and for their client in

any financial or real estate transaction, or by assisting in the

planning or carrying out of transactions for their client

concerning the:

(i) buying and selling of real property or business entities;

(ii) managing of client money, securities or other assets;

(iii) opening or management of bank, savings or securities

accounts;

(iv) organisation of contributions necessary for the creation,

operation or management of companies;

(¹) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating

terrorism (OJ L 164, 22.6.2002, p. 3).

02015L0849 — EN — 30.12.2024 — 004.001 — 4

▼B

(v) creation, operation or management of trusts, companies,

foundations, or similar structures;

(c) trust or company service providers not already covered under

point (a) or (b);

▼M1

(d) estate agents including when acting as intermediaries in the

letting of immovable property, but only in relation to trans-

actions for which the monthly rent amounts to EUR 10 000

or more;

▼B

(e) other persons trading in goods to the extent that payments are

made or received in cash in an amount of EUR 10 000 or more,

whether the transaction is carried out in a single operation or in

several operations which appear to be linked;

(f) providers of gambling services;

__________

▼M3

▼M1

(i) persons trading or acting as intermediaries in the trade of works

of art, including when this is carried out by art galleries and

auction houses, where the value of the transaction or a series of

linked transactions amounts to EUR 10 000 or more;

(j) persons storing, trading or acting as intermediaries in the trade

of works of art when this is carried out by free ports, where the

value of the transaction or a series of linked transactions

amounts to EUR 10 000 or more.

▼B

2.

With the exception of casinos, and following an appropriate risk

assessment, Member States may decide to exempt, in full or in part,

providers of certain gambling services from national provisions trans-

posing this Directive on the basis of the proven low risk posed by the

nature and, where appropriate, the scale of operations of such services.

Among the factors considered in their risk assessments, Member States

shall assess the degree of vulnerability of the applicable transactions,

including with respect to the payment methods used.

In their risk assessments, Member States shall indicate how they have

taken into account any relevant findings in the reports issued by the

Commission pursuant to Article 6.

Any decision taken by a Member State pursuant to the first subpara-

graph shall be notified to the Commission, together with a justification

based on the specific risk assessment. The Commission shall

communicate that decision to the other Member States.

02015L0849 — EN — 30.12.2024 — 004.001 — 5

▼B

3.

Member States may decide that persons that engage in a financial

activity on an occasional or very limited basis where there is little risk

of money laundering or terrorist financing do not fall within the scope

of this Directive, provided that all of the following criteria are met:

(a) the financial activity is limited in absolute terms;

(b) the financial activity is limited on a transaction basis;

(c) the financial activity is not the main activity of such persons;

(d) the financial activity is ancillary and directly related to the main

activity of such persons;

(e) the main activity of such persons is not an activity referred to in

points (a) to (d) or point (f) of paragraph 1(3);

(f) the financial activity is provided only to the customers of the main

activity of such persons and is not generally offered to the public.

The first subparagraph shall not apply to persons engaged in the activity

of money remittance as defined in point (13) of Article 4 of Directive

2007/64/EC of the European Parliament and of the Council (¹).

4.

For the purposes of point (a) of paragraph 3, Member States shall

require that the total turnover of the financial activity does not exceed a

threshold which must be sufficiently low. That threshold shall be estab-

lished at national level, depending on the type of financial activity.

5.

For the purposes of point (b) of paragraph 3, Member States shall

apply a maximum threshold per customer and per single transaction,

whether the transaction is carried out in a single operation or in several

operations which appear to be linked. That maximum threshold shall be

established at national level, depending on the type of financial activity.

It shall be sufficiently low in order to ensure that the types of trans-

actions in question are an impractical and inefficient method for money

laundering or terrorist financing, and shall not exceed EUR 1 000.

6.

For the purposes of point (c) of paragraph 3, Member States shall

require that the turnover of the financial activity does not exceed 5 % of

the total turnover of the natural or legal person concerned.

(¹) Directive 2007/64/EC of the European Parliament and of the Council of

13 November 2007 on payment services in the internal market amending

Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and

repealing Directive 97/5/EC (OJ L 319, 5.12.2007, p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 6

▼B

7.

In assessing the risk of money laundering or terrorist financing for

the purposes of this Article, Member States shall pay particular attention

to any financial activity which is considered to be particularly likely, by

its nature, to be used or abused for the purposes of money laundering or

terrorist financing.

8.

Decisions taken by Member States pursuant to paragraph 3 shall

state the reasons on which they are based. Member States may decide to

withdraw such decisions where circumstances change. They shall notify

such decisions to the Commission. The Commission shall communicate

such decisions to the other Member States.

9.

Member States shall establish risk-based monitoring activities or

take other adequate measures to ensure that the exemption granted by

decisions pursuant to this Article is not abused.

Article 3

For the purposes of this Directive, the following definitions apply:

(1) ‘credit institution’ means a credit institution as defined in point (1)

of Article 4(1) of Regulation (EU) No 575/2013 of the European

Parliament and of the Council (¹), including branches thereof, as

defined in point (17) of Article 4(1) of that Regulation, located in

the Union, whether its head office is situated within the Union or

in a third country;

(2) ‘financial institution’ means:

(a) an undertaking other than a credit institution, which carries out

one or more of the activities listed in points (2) to (12), (14)

and (15) of Annex I to Directive 2013/36/EU of the European

Parliament and of the Council (²), including the activities of

currency exchange offices (bureaux de change);

(b) an insurance undertaking as defined in point (1) of Article 13

of Directive 2009/138/EC of the European Parliament and of

the Council (³), insofar as it carries out life assurance activities

covered by that Directive;

(¹) Regulation (EU) No 575/2013 of the European Parliament and of the Council

of 26 June 2013 on prudential requirements for credit institutions and

investment firms and amending Regulation (EU) No 648/2012 (OJ L 176,

27.6.2013, p. 1).

(²) Directive 2013/36/EU of the European Parliament and of the Council of

26 June 2013 on access to the activity of credit institutions and the prudential

supervision of credit institutions and investment firms, amending Directive

2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176,

27.6.2013, p. 338).

(³) Directive 2009/138/EC of the European Parliament and of the Council of

25 November 2009 on the taking-up and pursuit of the business of

Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 7

▼B

(c) an investment firm as defined in point (1) of Article 4(1) of

Directive 2004/39/EC of the European Parliament and of the

Council (¹);

(d) a collective investment undertaking marketing its units or

shares;

(e) an insurance intermediary as defined in point (5) of Article 2

of Directive 2002/92/EC of the European Parliament and of

the Council (²) where it acts with respect to life insurance and

other investment-related services, with the exception of a tied

insurance intermediary as defined in point (7) of that Article;

(f) branches, when located in the Union, of financial institutions

as referred to in points (a) to (e), whether their head office is

situated in a Member State or in a third country;

▼M3

(g) crypto-asset service providers;

▼B

(3) ‘property’ means assets of any kind, whether corporeal or incor-

poreal, movable or immovable, tangible or intangible, and legal

documents or instruments in any form including electronic or

digital, evidencing title to or an interest in such assets;

(4) ‘criminal activity’ means any kind of criminal involvement in the

commission of the following serious crimes:

▼M1

▼B

(a) terrorist offences, offences related to a terrorist group and

offences related to terrorist activities as set out in Titles II

and III of Directive (EU) 2017/541 (³);

(b) any of the offences referred in Article 3(1)(a) of the 1988

United Nations Convention against Illicit Traffic in Narcotic

Drugs and Psychotropic Substances;

▼M1

(c) the activities of criminal organisations as defined in Article 1(1)

of Council Framework Decision 2008/841/JHA (⁴);

(¹) Directive 2004/39/EC of the European Parliament and of the Council of

21 April 2004 on markets in financial instruments amending Council

Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the

European Parliament and of the Council and repealing Council Directive

93/22/EEC (OJ L 145, 30.4.2004, p. 1).

(²) Directive 2002/92/EC of the European Parliament and of the Council of

9 December 2002 on insurance mediation (OJ L 9, 15.1.2003, p. 3).

(³) Directive (EU) 2017/541 of the European Parliament and of the Council of

15 March 2017 on combating terrorism and replacing Council Framework

Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ

L 88, 31.3.2017, p. 6).

(⁴) Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight

against organised crime (OJ L 300, 11.11.2008, p. 42).

02015L0849 — EN — 30.12.2024 — 004.001 — 8

▼B

(d) fraud affecting the Union's financial interests, where it is at

least serious, as defined in Article 1(1) and Article 2(1) of the

Convention on the protection of the European Communities'

financial interests (¹);

(e) corruption;

(f) all offences, including tax crimes relating to direct taxes and

indirect taxes and as defined in the national law of the

Member States, which are punishable by deprivation of

liberty or a detention order for a maximum of more than

one year or, as regards Member States that have a minimum

threshold for offences in their legal system, all offences

punishable by deprivation of liberty or a detention order for

a minimum of more than six months;

(5) ‘self-regulatory body’ means a body that represents members of a

profession and has a role in regulating them, in performing certain

supervisory or monitoring type functions and in ensuring the en-

forcement of the rules relating to them;

(6) ‘beneficial owner’ means any natural person(s) who ultimately

owns or controls the customer and/or the natural person(s) on

whose behalf a transaction or activity is being conducted and

includes at least:

(a) in the case of corporate entities:

(i) the natural person(s) who ultimately owns or controls a

legal entity through direct or indirect ownership of a

sufficient percentage of the shares or voting rights or

ownership interest in that entity, including through

bearer shareholdings, or through control via other means,

other than a company listed on a regulated market that is

subject to disclosure requirements consistent with Union

law or subject to equivalent international standards which

ensure adequate transparency of ownership information.

A shareholding of 25 % plus one share or an ownership

interest of more than 25 % in the customer held by a

natural person shall be an indication of direct ownership.

A shareholding of 25 % plus one share or an ownership

interest of more than 25 % in the customer held by a

corporate entity, which is under the control of a natural

person(s), or by multiple corporate entities, which are

under the control of the same natural person(s), shall be

an indication of indirect ownership. This applies without

prejudice to the right of Member States to decide that a

lower percentage may be an indication of ownership or

control. Control through other means may be determined,

inter alia, in accordance with the criteria in Article 22(1)

to (5) of Directive 2013/34/EU of the European Parliament

and of the Council (²);

(¹) OJ C 316, 27.11.1995, p. 49.

(²) Directive 2013/34/EU of the European Parliament and of the Council of

26 June 2013 on the annual financial statements, consolidated financial

statements and related reports of certain types of undertakings, amending

Directive 2006/43/EC of the European Parliament and of the Council and

repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182,

29.6.2013, p. 19).

02015L0849 — EN — 30.12.2024 — 004.001 — 9

▼B

(ii) if, after having exhausted all possible means and provided

there are no grounds for suspicion, no person under

point (i) is identified, or if there is any doubt that the

person(s) identified are the beneficial owner(s), the

natural person(s) who hold the position of senior

managing official(s), the obliged entities shall keep

records of the actions taken in order to identify the

beneficial ownership under point (i) and this point;

▼M1

(b) in the case of trusts, all following persons:

(i) the settlor(s);

(ii) the trustee(s);

(iii) the protector(s), if any;

(iv) the beneficiaries or where the individuals benefiting from

the legal arrangement or entity have yet to be determined,

the class of persons in whose main interest the legal

arrangement or entity is set up or operates;

(v) any other natural person exercising ultimate control over

the trust by means of direct or indirect ownership or by

other means;

▼B

(c) in the case of legal entities such as foundations, and legal

arrangements similar to trusts, the natural person(s) holding

equivalent or similar positions to those referred to in point (b);

(7) ‘trust or company service provider’ means any person that, by way

of its business, provides any of the following services to third

parties:

(a) the formation of companies or other legal persons;

(b) acting as, or arranging for another person to act as, a director

or secretary of a company, a partner of a partnership, or a

similar position in relation to other legal persons;

(c) providing a registered office, business address, correspondence

or administrative address and other related services for a

company,

a

partnership or any other legal person or

arrangement;

(d) acting as, or arranging for another person to act as, a trustee of

an express trust or a similar legal arrangement;

02015L0849 — EN — 30.12.2024 — 004.001 — 10

▼B

(e) acting as, or arranging for another person to act as, a nominee

shareholder for another person other than a company listed on

a regulated market that is subject to disclosure requirements in

accordance with Union law or subject to equivalent inter-

national standards;

▼M3

(8) ‘correspondent relationship’ means:

(a) the provision of banking services by one bank as the corre-

spondent to another bank as the respondent, including

providing a current or other liability account and related

services, such as cash management, international funds

transfers, cheque clearing, payable-through accounts and

foreign exchange services;

(b) the relationships between and among credit institutions and

financial institutions, including where similar services are

provided by a correspondent institution to a respondent insti-

tution, and including relationships established for securities

transactions or funds transfers or relationships established for

transactions in crypto-assets or transfers of crypto-assets;

▼B

(9) ‘politically exposed person’ means a natural person who is or who

has been entrusted with prominent public functions and includes

the following:

(a) heads of State, heads of government, ministers and deputy or

assistant ministers;

(b) members of parliament or of similar legislative bodies;

(c) members of the governing bodies of political parties;

(d) members of supreme courts, of constitutional courts or of other

high-level judicial bodies, the decisions of which are not

subject to further appeal, except in exceptional circumstances;

(e) members of courts of auditors or of the boards of central

banks;

(f) ambassadors, chargés d'affaires and high-ranking officers in

the armed forces;

(g) members of the administrative, management or supervisory

bodies of State-owned enterprises;

(h) directors, deputy directors and members of the board or

equivalent function of an international organisation.

No public function referred to in points (a) to (h) shall be

understood as covering middle-ranking or more junior officials;

(10) ‘family members’ includes the following:

(a) the spouse, or a person considered to be equivalent to a

spouse, of a politically exposed person;

02015L0849 — EN — 30.12.2024 — 004.001 — 11

▼B

(b) the children and their spouses, or persons considered to be

equivalent to a spouse, of a politically exposed person;

(c) the parents of a politically exposed person;

(11) ‘persons known to be close associates’ means:

(a) natural persons who are known to have joint beneficial

ownership of legal entities or legal arrangements, or any

other close business relations, with a politically exposed

person;

(b) natural persons who have sole beneficial ownership of a legal

entity or legal arrangement which is known to have been set

up for the de facto benefit of a politically exposed person.

(12) ‘senior management’ means an officer or employee with sufficient

knowledge of the institution's money laundering and terrorist

financing risk exposure and sufficient seniority to take decisions

affecting its risk exposure, and need not, in all cases, be a member

of the board of directors;

(13) ‘business relationship’ means

a

business, professional or

commercial relationship which is connected with the professional

activities of an obliged entity and which is expected, at the time

when the contact is established, to have an element of duration;

(14) ‘gambling services’ means a service which involves wagering a

stake with monetary value in games of chance, including those

with an element of skill such as lotteries, casino games, poker

games and betting transactions that are provided at a physical

location, or by any means at a distance, by electronic means or

any other technology for facilitating communication, and at the

individual request of a recipient of services;

(15) ‘group’ means a group of undertakings which consists of a parent

undertaking, its subsidiaries, and the entities in which the parent

undertaking or its subsidiaries hold a participation, as well as

undertakings linked to each other by a relationship within the

meaning of Article 22 of Directive 2013/34/EU;

▼M1

(16) ‘electronic money’ means electronic money as defined in point (2)

of Article 2 of Directive 2009/110/EC, but excluding monetary

value as referred to in Article 1(4) and (5) of that Directive;

▼B

(17) ‘shell bank’ means a credit institution or financial institution, or an

institution that carries out activities equivalent to those carried out

by credit institutions and financial institutions, incorporated in a

jurisdiction in which it has no physical presence, involving mean-

ingful mind and management, and which is unaffiliated with a

regulated financial group;

02015L0849 — EN — 30.12.2024 — 004.001 — 12

▼M3

(18) ‘crypto-asset’ means a crypto-asset as defined in Article 3(1),

point (5), of Regulation (EU) 2023/1114 of the European

Parliament and of the Council (¹), except where falling within

the categories listed in Article 2(2), (3) and (4) of that Regulation

or otherwise qualifying as funds;

(19) ‘crypto-asset service provider’ means

a

crypto-asset service

provider as defined in Article 3(1), point (15), of Regulation (EU)

2023/1114, where performing one or more crypto-asset services as

defined in Article 3(1), point (16), of that Regulation, with the

exception of providing advice on crypto-assets as referred to in

Article 3(1), point (16)(h), of that Regulation;

(20) ‘self-hosted address’ means a self-hosted address as defined in

Article 3, point (20), of Regulation (EU) 2023/1113 of the

European Parliament and of the Council (²).

▼B

Article 4

1.

Member States shall, in accordance with the risk-based approach,

ensure that the scope of this Directive is extended in whole or in part to

professions and to categories of undertakings, other than the obliged

entities referred to in Article 2(1), which engage in activities which are

particularly likely to be used for the purposes of money laundering or

terrorist financing.

2.

Where a Member State extends the scope of this Directive to

professions or to categories of undertaking other than those referred

to in Article 2(1), it shall inform the Commission thereof.

Article 5

Member States may adopt or retain in force stricter provisions in the

field covered by this Directive to prevent money laundering and terrorist

financing, within the limits of Union law.

SECTION 2

Risk assessment

Article 6

1.

The Commission shall conduct an assessment of the risks of

money laundering and terrorist financing affecting the internal market

and relating to cross-border activities.

(¹) Regulation (EU) 2023/1114 of the European Parliament and of the Council of

31 May 2023 on markets in crypto-assets, and amending Regulations (EU)

No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU)

2019/1937 (OJ L 150, 9.6.2023, p. 40).

(²) Regulation (EU) 2023/1113 of the European Parliament and of the Council of

31 May 2023 on information accompanying transfers of funds and certain

crypto-assets and amending Directive (EU) 2015/849 (OJ L 150, 9.6.2023,

p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 13

▼B

To that end, the Commission shall, by 26 June 2017, draw up a report

identifying, analysing and evaluating those risks at Union level.

Thereafter, the Commission shall update its report every two years, or

more frequently if appropriate.

2.

The report referred to in paragraph 1 shall cover at least the

following:

(a) the areas of the internal market that are at greatest risk;

▼M1

(b) the risks associated with each relevant sector including, where

available, estimates of the monetary volumes of money laundering

provided by Eurostat for each of those sectors;

(c) the most widespread means used by criminals to launder illicit

proceeds, including, where available, those particularly used in

transactions between Member States and third countries, inde-

pendently of the identification of a third country as high-risk

pursuant to Article 9(2).

▼M2

3.

The Commission shall make the report referred to in paragraph 1

available to Member States and obliged entities in order to assist them

in identifying, understanding, managing and mitigating the risks of

money laundering and terrorist financing, and to allow other stake-

holders, including national legislators, the European Parliament, the

European Supervisory Authority (European Banking Authority) estab-

lished by Regulation (EU) No 1093/2010 of the European Parliament

and of the Council (¹) (EBA), and representatives from EU Financial

Intelligence Units (FIUs), to better understand those risks. The report

shall be made public at the latest six months after having been made

available to Member States, except for those elements of the report

which contain classified information.

▼B

4.

The Commission shall make recommendations to Member States

on the measures suitable for addressing the identified risks. In the event

that Member States decide not to apply any of the recommendations in

their national AML/CFT regimes, they shall notify the Commission

thereof and provide a justification for such a decision.

5.

By 26 December 2016, the ESAs, through the Joint Committee,

shall issue an opinion on the risks of money laundering and terrorist

financing affecting the Union's financial sector (the ‘joint opinion’).

►M2 Thereafter, EBA shall issue an opinion every two years. ◄

6.

In conducting the assessment referred to in paragraph 1, the

Commission shall organise the work at Union level, shall take into

account the joint opinions referred to in paragraph 5 and shall involve

the Member States' experts in the area of AML/CFT, representatives

from FIUs and other Union level bodies where appropriate. The

Commission shall make the joint opinions available to the Member

States and obliged entities in order to assist them to identify, manage

and mitigate the risk of money laundering and terrorist financing.

(¹) Regulation (EU) No 1093/2010 of the European Parliament and of the

Council of 24 November 2010 establishing

Authority (European Banking Authority),

a

European Supervisory

amending Decision

No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331,

15.12.2010, p. 12).

02015L0849 — EN — 30.12.2024 — 004.001 — 14

▼B

7.

Every two years, or more frequently if appropriate, the

Commission shall submit a report to the European Parliament and to

the Council on the findings resulting from the regular risk assessments

and the action taken based on those findings.

Article 7

1.

Each Member State shall take appropriate steps to identify, assess,

understand and mitigate the risks of money laundering and terrorist

financing affecting it, as well as any data protection concerns in that

regard. It shall keep that risk assessment up to date.

2.

Each Member State shall designate an authority or establish a

mechanism by which to coordinate the national response to the risks

referred to in paragraph 1. ►M2 The identity of that authority or the

description of the mechanism shall be notified to the Commission, to

EBA, and to the other Member States. ◄

3.

In carrying out the risk assessments referred to in paragraph 1 of

this Article, Member States shall make use of the findings of the report

referred to in Article 6(1).

4.

As regards the risk assessment referred to in paragraph 1, each

Member State shall:

(a) use it to improve its AML/CFT regime, in particular by identifying

any areas where obliged entities are to apply enhanced measures

and, where appropriate, specifying the measures to be taken;

(b) identify, where appropriate, sectors or areas of lower or greater risk

of money laundering and terrorist financing;

(c) use it to assist it in the allocation and prioritisation of resources to

combat money laundering and terrorist financing;

(d) use it to ensure that appropriate rules are drawn up for each sector

or area, in accordance with the risks of money laundering and

terrorist financing;

(e) make appropriate information available promptly to obliged entities

to facilitate the carrying out of their own money laundering and

terrorist financing risk assessments;

▼M1

(f) report the institutional structure and broad procedures of their

AML/CFT regime, including, inter alia, the FIU, tax authorities

and prosecutors, as well as the allocated human and financial

resources to the extent that this information is available;

(g) report on national efforts and resources (labour forces and budget)

allocated to combat money laundering and terrorist financing.

02015L0849 — EN — 30.12.2024 — 004.001 — 15

▼M1

5.

►M2 Member States shall make the results of their risk

assessments, including their updates, available to the Commission, to

EBA and to the other Member States. ◄ Other Member States may

provide relevant additional information, where appropriate, to the

Member State carrying out the risk assessment. A summary of the

assessment shall be made publicly available. That summary shall not

contain classified information.

▼B

Article 8

1.

Member States shall ensure that obliged entities take appropriate

steps to identify and assess the risks of money laundering and terrorist

financing, taking into account risk factors including those relating to

their customers, countries or geographic areas, products, services, trans-

actions or delivery channels. Those steps shall be proportionate to the

nature and size of the obliged entities.

2.

The risk assessments referred to in paragraph 1 shall be docu-

mented, kept up-to-date and made available to the relevant competent

authorities and self-regulatory bodies concerned. Competent authorities

may decide that individual documented risk assessments are not

required where the specific risks inherent in the sector are clear and

understood.

3.

Member States shall ensure that obliged entities have in place

policies, controls and procedures to mitigate and manage effectively

the risks of money laundering and terrorist financing identified at the

level of the Union, the Member State and the obliged entity. Those

policies, controls and procedures shall be proportionate to the nature

and size of the obliged entities.

4.

The policies, controls and procedures referred to in paragraph 3

shall include:

(a) the development of internal policies, controls and procedures,

including model risk management practices, customer due diligence,

reporting, record-keeping, internal control, compliance management

including, where appropriate with regard to the size and nature of

the business, the appointment of

a

compliance officer at

management level, and employee screening;

(b) where appropriate with regard to the size and nature of the business,

an independent audit function to test the internal policies, controls

and procedures referred to in point (a).

5.

Member States shall require obliged entities to obtain approval

from their senior management for the policies, controls and procedures

that they put in place and to monitor and enhance the measures taken,

where appropriate.

02015L0849 — EN — 30.12.2024 — 004.001 — 16

▼B

SECTION 3

Third-country policy

Article 9

1.

Third-country jurisdictions which have strategic deficiencies in

their national AML/CFT regimes that pose significant threats to the

financial system of the Union (‘high-risk third countries’) shall be

identified in order to protect the proper functioning of the internal

market.

▼M1

2.

The Commission is empowered to adopt delegated acts in

accordance with Article 64 in order to identify high-risk third countries,

taking into account strategic deficiencies in particular in the following

areas:

(a) the legal and institutional AML/CFT framework of the third

country, in particular:

(i) the criminalisation of money laundering and terrorist financing;

(ii) measures relating to customer due diligence;

(iii) requirements relating to record-keeping;

(iv) requirements to report suspicious transactions;

(v) the availability of accurate and timely information of the

beneficial ownership of legal persons and arrangements to

competent authorities;

(b) the powers and procedures of the third country’s competent auth-

orities for the purposes of combating money laundering and terrorist

financing including appropriately effective, proportionate and

dissuasive sanctions, as well as the third country’s practice in co-

operation and exchange of information with Member States’

competent authorities;

(c) the effectiveness of the third country’s AML/CFT system in

addressing money laundering or terrorist financing risks.

▼B

3.

The delegated acts referred to in paragraph 2 shall be adopted

within one month after the identification of the strategic deficiencies

referred to in that paragraph.

▼M1

4.

The Commission, when drawing up the delegated acts referred to

in paragraph 2, shall take into account relevant evaluations, assessments

or reports drawn up by international organisations and standard setters

with competence in the field of preventing money laundering and

combating terrorist financing.

02015L0849 — EN — 30.12.2024 — 004.001 — 17

▼B

CHAPTER II

CUSTOMER DUE DILIGENCE

SECTION 1

General provisions

Article 10

▼M1

1.

Member States shall prohibit their credit institutions and financial

institutions from keeping anonymous accounts, anonymous passbooks

or anonymous safe-deposit boxes. Member States shall, in any event,

require that the owners and beneficiaries of existing anonymous

accounts, anonymous passbooks or anonymous safe-deposit boxes be

subject to customer due diligence measures no later than 10 January

2019 and in any event before such accounts, passbooks or deposit boxes

are used in any way.

▼B

2.

Member States shall take measures to prevent misuse of bearer

shares and bearer share warrants.

Article 11

Member States shall ensure that obliged entities apply customer due

diligence measures in the following circumstances:

(a) when establishing a business relationship;

(b) when carrying out an occasional transaction that:

(i) amounts to EUR 15 000 or more, whether that transaction is

carried out in a single operation or in several operations which

appear to be linked; or

(ii) constitutes a transfer of funds, as defined in point (9) of

Article 3 of Regulation (EU) 2015/847 of the European

Parliament and of the Council (¹), exceeding EUR 1 000;

(c) in the case of persons trading in goods, when carrying out occa-

sional transactions in cash amounting to EUR 10 000 or more,

whether the transaction is carried out in a single operation or in

several operations which appear to be linked;

(d) for providers of gambling services, upon the collection of winnings,

the wagering of a stake, or both, when carrying out transactions

amounting to EUR 2 000 or more, whether the transaction is carried

out in a single operation or in several operations which appear to be

linked;

(¹) Regulation (EU) 2015/847 of the European Parliament and of the Council of

20 May 2015 on information accompanying transfers of funds and repealing

Regulation (EC) No 1781/2006 (see page 1 of this Official Journal).

02015L0849 — EN — 30.12.2024 — 004.001 — 18

▼B

(e) when there is a suspicion of money laundering or terrorist financing,

regardless of any derogation, exemption or threshold;

(f) when there are doubts about the veracity or adequacy of previously

obtained customer identification data.

Article 12

1.

By way of derogation from points (a), (b) and (c) of the first

subparagraph of Article 13(1) and Article 14, and based on an appro-

priate risk assessment which demonstrates a low risk, a Member State

may allow obliged entities not to apply certain customer due diligence

measures with respect to electronic money, where all of the following

risk-mitigating conditions are met:

▼M1

(a) the payment instrument is not reloadable, or has a maximum

monthly payment transactions limit of EUR 150 which can be

used only in that Member State;

(b) the maximum amount stored electronically does not exceed EUR 150;

▼B

(c) the payment instrument is used exclusively to purchase goods or

services;

(d) the payment instrument cannot be funded with anonymous elec-

tronic money;

(e) the issuer carries out sufficient monitoring of the transactions or

business relationship to enable the detection of unusual or

suspicious transactions.

▼M1

__________

2.

Member States shall ensure that the derogation provided for in

paragraph 1 of this Article is not applicable in the case of redemption

in cash or cash withdrawal of the monetary value of the electronic

money where the amount redeemed exceeds EUR 50, or in the case

of remote payment transactions as defined in point (6) of Article 4 of

the Directive (EU) 2015/2366 of the European Parliament and of the

Council (¹) where the amount paid exceeds EUR 50 per transaction.

3.

Member States shall ensure that credit institutions and financial

institutions acting as acquirers only accept payments carried out with

anonymous prepaid cards issued in third countries where such cards

meet requirements equivalent to those set out in paragraphs 1 and 2.

Member States may decide not to accept on their territory payments

carried out by using anonymous prepaid cards.

(¹) Directive (EU) 2015/2366 of the European Parliament and of the Council of

25 November 2015 on payment services in the internal market, amending

Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU)

No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015,

p. 35).

02015L0849 — EN — 30.12.2024 — 004.001 — 19

▼B

Article 13

1.

Customer due diligence measures shall comprise:

▼M1

(a) identifying the customer and verifying the customer’s identity on

the basis of documents, data or information obtained from a reliable

and independent source, including, where available, electronic

identification means, relevant trust services as set out in

Regulation (EU) No 910/2014 of the European Parliament and of

the Council (¹) or any other secure, remote or electronic identifi-

cation process regulated, recognised, approved or accepted by the

relevant national authorities;

▼B

(b) identifying the beneficial owner and taking reasonable measures to

verify that person's identity so that the obliged entity is satisfied that

it knows who the beneficial owner is, including, as regards legal

persons, trusts, companies, foundations and similar legal

arrangements, taking reasonable measures to understand the

ownership and control structure of the customer. ►M1 Where

the beneficial owner identified is the senior managing official as

referred to in Article 3(6)(a) (ii), obliged entities shall take the

necessary reasonable measures to verify the identity of the natural

person who holds the position of senior managing official and shall

keep records of the actions taken as well as any difficulties

encountered during the verification process; ◄

(c) assessing and, as appropriate, obtaining information on the purpose

and intended nature of the business relationship;

(d) conducting ongoing monitoring of the business relationship

including scrutiny of transactions undertaken throughout the

course of that relationship to ensure that the transactions being

conducted are consistent with the obliged entity's knowledge of

the customer, the business and risk profile, including where

necessary the source of funds and ensuring that the documents,

data or information held are kept up-to-date.

When performing the measures referred to in points (a) and (b) of the

first subparagraph, obliged entities shall also verify that any person

purporting to act on behalf of the customer is so authorised and

identify and verify the identity of that person.

2.

Member States shall ensure that obliged entities apply each of the

customer due diligence requirements laid down in paragraph 1.

However, obliged entities may determine the extent of such measures

on a risk-sensitive basis.

(¹) Regulation (EU) No 910/2014 of the European Parliament and of the Council

of 23 July 2014 on electronic identification and trust services for electronic

transactions in the internal market and repealing Directive 1999/93/EC (OJ

L 257, 28.8.2014, p. 73).

02015L0849 — EN — 30.12.2024 — 004.001 — 20

▼B

3.

Member States shall require that obliged entities take into account

at least the variables set out in Annex I when assessing the risks of

money laundering and terrorist financing.

4.

Member States shall ensure that obliged entities are able to

demonstrate to competent authorities or self-regulatory bodies that the

measures are appropriate in view of the risks of money laundering and

terrorist financing that have been identified.

5.

For life or other investment-related insurance business, Member

States shall ensure that, in addition to the customer due diligence

measures required for the customer and the beneficial owner, credit

institutions and financial institutions conduct the following customer

due diligence measures on the beneficiaries of life insurance and

other investment-related insurance policies, as soon as the beneficiaries

are identified or designated:

(a) in the case of beneficiaries that are identified as specifically named

persons or legal arrangements, taking the name of the person;

(b) in the case of beneficiaries that are designated by characteristics or

by class or by other means, obtaining sufficient information

concerning those beneficiaries to satisfy the credit institutions or

financial institution that it will be able to establish the identity of

the beneficiary at the time of the payout.

With regard to points (a) and (b) of the first subparagraph, the verifi-

cation of the identity of the beneficiaries shall take place at the time of

the payout. In the case of assignment, in whole or in part, of the life or

other investment-related insurance to a third party, credit institutions and

financial institutions aware of the assignment shall identify the

beneficial owner at the time of the assignment to the natural or legal

person or legal arrangement receiving for its own benefit the value of

the policy assigned.

6.

In the case of beneficiaries of trusts or of similar legal

arrangements that are designated by particular characteristics or class,

an obliged entity shall obtain sufficient information concerning the ben-

eficiary to satisfy the obliged entity that it will be able to establish the

identity of the beneficiary at the time of the payout or at the time of the

exercise by the beneficiary of its vested rights.

Article 14

1.

Member States shall require that verification of the identity of the

customer and the beneficial owner take place before the establishment

of a business relationship or the carrying out of the transaction.

►M1 Whenever entering into a new business relationship with a

corporate or other legal entity, or a trust or a legal arrangement

having a structure or functions similar to trusts (‘similar legal

arrangement’) which are subject to the registration of beneficial

ownership information pursuant to Article 30 or 31, the obliged

entities shall collect proof of registration or an excerpt of the register. ◄

02015L0849 — EN — 30.12.2024 — 004.001 — 21

▼B

2.

By way of derogation from paragraph 1, Member States may

allow verification of the identity of the customer and the beneficial

owner to be completed during the establishment of a business rela-

tionship if necessary so as not to interrupt the normal conduct of

business and where there is little risk of money laundering or terrorist

financing. In such situations, those procedures shall be completed as

soon as practicable after initial contact.

3.

By way of derogation from paragraph 1, Member States may

allow the opening of an account with a credit institution or financial

institution, including accounts that permit transactions in transferable

securities, provided that there are adequate safeguards in place to

ensure that transactions are not carried out by the customer or on its

behalf until full compliance with the customer due diligence

requirements laid down in points (a) and (b) of the first subparagraph

of Article 13(1) is obtained.

4.

Member States shall require that, where an obliged entity is unable

to comply with the customer due diligence requirements laid down in

point (a), (b) or (c) of the first subparagraph of Article 13(1), it shall not

carry out a transaction through a bank account, establish a business

relationship or carry out the transaction, and shall terminate the

business relationship and consider making a suspicious transaction

report to the FIU in relation to the customer in accordance with

Article 33.

Member States shall not apply the first subparagraph to notaries, other

independent legal professionals, auditors, external accountants and tax

advisors only to the strict extent that those persons ascertain the legal

position of their client, or perform the task of defending or representing

that client in, or concerning, judicial proceedings, including providing

advice on instituting or avoiding such proceedings.

▼M1

5.

Member States shall require that obliged entities apply the

customer due diligence measures not only to all new customers but

also at appropriate times to existing customers on a risk-sensitive

basis, or when the relevant circumstances of a customer change, or

when the obliged entity has any legal duty in the course of the

relevant calendar year to contact the customer for the purpose of

reviewing any relevant information relating to the beneficial owner(s),

or if the obliged entity has had this duty under Council Directive

2011/16/EU (¹).

▼B

SECTION 2

Simplified customer due diligence

Article 15

1.

Where a Member State or an obliged entity identifies areas of

lower risk, that Member State may allow obliged entities to apply

simplified customer due diligence measures.

(¹) Council Directive 2011/16/EU of 15 February 2011 on administrative coop-

eration in the field of taxation and repealing Directive 77/799/EEC (OJ L 64,

11.3.2011, p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 22

▼B

2.

Before applying simplified customer due diligence measures,

obliged entities shall ascertain that the business relationship or the trans-

action presents a lower degree of risk.

3.

Member States shall ensure that obliged entities carry out

sufficient monitoring of the transactions and business relationships to

enable the detection of unusual or suspicious transactions.

Article 16

When assessing the risks of money laundering and terrorist financing

relating to types of customers, geographic areas, and particular products,

services, transactions or delivery channels, Member States and obliged

entities shall take into account at least the factors of potentially lower

risk situations set out in Annex II.

Article 17

►M2 By 26 June 2017, the ESAs shall issue guidelines, addressed to

competent authorities and to the credit institutions and financial insti-

tutions, in accordance with Article 16 of Regulation (EU) No 1093/2010

on the risk factors to be taken into consideration and the measures to be

taken in situations where simplified customer due diligence measures

are appropriate. From 1 January 2020, EBA shall, where appropriate,

issue such guidelines. ◄ Specific account shall be taken of the nature

and size of the business, and, where appropriate and proportionate,

specific measures shall be laid down.

SECTION 3

Enhanced customer due diligence

Article 18

1.

►M1 In the cases referred to in Articles 18a to 24, as well as in

other cases of higher risk that are identified by Member States or

obliged entities, Member States shall require obliged entities to apply

enhanced customer due diligence measures to manage and mitigate

those risks appropriately. ◄

Enhanced customer due diligence measures need not be invoked auto-

matically with respect to branches or majority-owned subsidiaries of

obliged entities established in the Union which are located in

high-risk third countries, where those branches or majority-owned

subsidiaries fully comply with the group-wide policies and procedures

in accordance with Article 45. Member States shall ensure that those

cases are handled by obliged entities by using a risk-based approach.

▼M1

2.

Member States shall require obliged entities to examine, as far as

reasonably possible, the background and purpose of all transactions that

fulfil at least one of the following conditions:

02015L0849 — EN — 30.12.2024 — 004.001 — 23

▼M1

(i) they are complex transactions;

(ii) they are unusually large transactions;

(iii) they are conducted in an unusual pattern;

(iv) they do not have an apparent economic or lawful purpose.

In particular, obliged entities shall increase the degree and nature of

monitoring of the business relationship, in order to determine whether

those transactions or activities appear suspicious.

▼B

3.

When assessing the risks of money laundering and terrorist

financing, Member States and obliged entities shall take into account

at least the factors of potentially higher-risk situations set out in

Annex III.

4.

addressed to competent authorities and the credit institutions and

financial institutions, in accordance with Article 16 of

►M2 By 26 June 2017, the ESAs shall issue guidelines,

Regulation (EU) No 1093/2010 on the risk factors to be taken into

consideration and the measures to be taken in situations where

enhanced customer due diligence measures are appropriate. From

1 January 2020, EBA shall, where appropriate, issue such guidelines. ◄

Specific account shall be taken of the nature and size of the business,

and, where appropriate and proportionate, specific measures shall be

laid down.

▼M3

5.

By 30 December 2024, EBA shall issue guidelines on risk

variables and risk factors to be taken into account by crypto-asset

service providers when entering into business relationships or carrying

out transactions in crypto-assets.

6.

EBA shall clarify, in particular, how the risk factors listed in

Annex III shall be taken into account by crypto-asset service

providers including when carrying out transactions with persons and

entities which are not covered by this Directive. To that end, EBA

shall pay particular attention to products, transactions and technologies

that have the potential to facilitate anonymity, such as privacy wallets,

mixers or tumblers.

Where situations of higher risk are identified, the guidelines referred to

in paragraph 5 shall include enhanced due diligence measures that

obliged entities shall consider applying to mitigate such risks,

including the adoption of appropriate procedures to detect the origin

or destination of crypto-assets.

▼M1

Article 18a

1.

With respect to business relationships or transactions involving

high-risk third countries identified pursuant to Article 9(2), Member

States shall require obliged entities to apply the following enhanced

customer due diligence measures:

(a) obtaining additional information on the customer and on the

beneficial owner(s);

02015L0849 — EN — 30.12.2024 — 004.001 — 24

▼M1

(b) obtaining additional information on the intended nature of the

business relationship;

(c) obtaining information on the source of funds and source of wealth

of the customer and of the beneficial owner(s);

(d) obtaining information on the reasons for the intended or performed

transactions;

(e) obtaining the approval of senior management for establishing or

continuing the business relationship;

(f) conducting enhanced monitoring of the business relationship by

increasing the number and timing of controls applied, and

selecting patterns of transactions that need further examination.

Member States may require obliged entities to ensure, where applicable,

that the first payment be carried out through an account in the

customer’s name with a credit institution subject to customer due

diligence standards that are not less robust than those laid down in

this Directive.

2.

In addition to the measures provided in paragraph 1 and in

compliance with the Union’s international obligations, Member States

shall require obliged entities to apply, where applicable, one or more

additional mitigating measures to persons and legal entities carrying out

transactions involving high-risk third countries identified pursuant to

Article 9(2). Those measures shall consist of one or more of the

following:

(a) the application of additional elements of enhanced due diligence;

(b) the introduction of enhanced relevant reporting mechanisms or

systematic reporting of financial transactions;

(c) the limitation of business relationships or transactions with natural

persons or legal entities from the third countries identified as high

risk countries pursuant to Article 9(2).

3.

In addition to the measures provided in paragraph 1, Member

States shall apply, where applicable, one or several of the following

measures with regard to high-risk third countries identified pursuant to

Article 9(2) in compliance with the Union’s international obligations:

(a) refusing the establishment of subsidiaries or branches or represen-

tative offices of obliged entities from the country concerned, or

otherwise taking into account the fact that the relevant obliged

entity is from a country that does not have adequate AML/CFT

regimes;

(b) prohibiting obliged entities from establishing branches or represen-

tative offices in the country concerned, or otherwise taking into

account the fact that the relevant branch or representative office

would be in a country that does not have adequate AML/CFT

regimes;

02015L0849 — EN — 30.12.2024 — 004.001 — 25

▼M1

(c) requiring increased supervisory examination or increased external

audit requirements for branches and subsidiaries of obliged

entities located in the country concerned;

(d) requiring increased external audit requirements for financial groups

with respect to any of their branches and subsidiaries located in the

country concerned;

(e) requiring credit and financial institutions to review and amend, or if

necessary terminate, correspondent relationships with respondent

institutions in the country concerned.

4.

When enacting or applying the measures set out in paragraphs 2

and 3, Member States shall take into account, as appropriate relevant

evaluations, assessments or reports drawn up by international organis-

ations and standard setters with competence in the field of preventing

money laundering and combating terrorist financing, in relation to the

risks posed by individual third countries.

5.

Member States shall notify the Commission before enacting or

applying the measures set out in paragraphs 2 and 3.

▼B

Article 19

▼M1

With respect to cross-border correspondent relationships involving the

execution of payments with a third-country respondent institution,

Member States shall, in addition to the customer due diligence

measures laid down in Article 13, require their credit institutions and

financial institutions when entering into a business relationship to:

▼B

(a) gather sufficient information about the respondent institution to

understand fully the nature of the respondent's business and to

determine from publicly available information the reputation of

the institution and the quality of supervision;

(b) assess the respondent institution's AML/CFT controls;

(c) obtain approval from senior management before establishing new

correspondent relationships;

(d) document the respective responsibilities of each institution;

(e) with respect to payable-through accounts, be satisfied that the

respondent institution has verified the identity of, and performed

ongoing due diligence on, the customers having direct access to

accounts of the correspondent institution, and that it is able to

provide relevant customer due diligence data to the correspondent

institution, upon request.

02015L0849 — EN — 30.12.2024 — 004.001 — 26

▼M3

Article 19a

Member States shall require crypto-asset service providers to

1.

identify and assess the risk of money laundering and terrorist

financing associated with transfers of crypto-assets directed to or orig-

inating from a self-hosted address. To that end, crypto-asset service

providers shall have in place internal policies, procedures and

controls. Member States shall require crypto-asset service providers to

apply mitigating measures commensurate with the risks identified.

Those mitigating measures shall include one or more of the following:

(a) taking risk-based measures to identify, and verify the identity of, the

originator or beneficiary of a transfer made to or from a self-hosted

address or the beneficial owner of such originator or beneficiary,

including through reliance on third parties;

(b) requiring additional information on the origin and destination of the

transferred crypto-assets;

(c) conducting enhanced ongoing monitoring of those transactions;

(d) any other measure to mitigate and manage the risks of money

laundering and terrorist financing as well as the risk of

non-implementation and evasion of targeted financial sanctions

and proliferation financing-related targeted financial sanctions.

2.

By 30 December 2024, EBA shall issue guidelines to specify the

measures referred to in this Article, including the criteria and means for

identification and verification of the identity of the originator or ben-

eficiary of a transfer made to or from a self-hosted address, in particular

through reliance on third parties, taking into account the latest tech-

nological developments.

Article 19b

1.

By way of derogation from Article 19, with respect to cross-border

correspondent relationships involving the execution of crypto-asset

services as defined in Article 3(1), point (16), of Regulation (EU)

2023/1114, with the exception of point (h) of that point, with a

respondent entity not established in the Union and providing similar

services, including transfers of crypto-assets, Member States shall, in

addition to the customer due diligence measures laid down in Article 13

of this Directive, require crypto-asset service providers, when entering

into a business relationship with such an entity, to:

(a) determine if the respondent entity is licensed or registered;

(b) gather sufficient information about the respondent entity to

understand fully the nature of the respondent’s business and to

determine from publicly available information the reputation of

the entity and the quality of supervision;

(c) assess the respondent entity’s AML/CFT controls;

02015L0849 — EN — 30.12.2024 — 004.001 — 27

▼M3

(d) obtain approval from senior management before establishing new

correspondent relationships;

(e) document the respective responsibilities of each party to the corre-

spondent relationship;

(f) with respect to payable-through crypto-asset accounts, be satisfied

that the respondent entity has verified the identity of, and performed

ongoing due diligence on, the customers having direct access to

accounts of the correspondent entity, and that it is able to provide

relevant customer due diligence data to the correspondent entity,

upon request.

Where crypto-asset service providers decide to terminate correspondent

relationships for reasons relating to anti-money laundering and

counter-terrorist financing policy, they shall document and record their

decision.

Crypto-asset service providers shall update the due diligence

information for the correspondent relationship on a regular basis or

when new risks emerge in relation to the respondent entity.

2.

Member States shall ensure crypto-asset service providers take into

account the information referred to in paragraph 1 in order to determine,

on a risk-sensitive basis, the appropriate measures to be taken to

mitigate the risks associated with the respondent entity.

3.

By 30 June 2024, EBA shall issue guidelines to specify the criteria

and elements that crypto-asset service providers shall take into account

when conducting the assessment referred to in paragraph 1 and the risk

mitigating measures referred to in paragraph 2, including the minimum

action to be taken by crypto-asset service providers where the

respondent entity is not registered or licensed.

▼B

Article 20

With respect to transactions or business relationships with politically

exposed persons, Member States shall, in addition to the customer

due diligence measures laid down in Article 13, require obliged

entities to:

(a) have in place appropriate risk management systems, including

risk-based procedures, to determine whether the customer or the

beneficial owner of the customer is a politically exposed person;

(b) apply the following measures in cases of business relationships with

politically exposed persons:

(i) obtain senior management approval for establishing or

continuing business relationships with such persons;

(ii) take adequate measures to establish the source of wealth and

source of funds that are involved in business relationships or

transactions with such persons;

(iii) conduct enhanced, ongoing monitoring of those business

relationships.

02015L0849 — EN — 30.12.2024 — 004.001 — 28

▼M1

Article 20a

Each Member State shall issue and keep up to date a list indicating

1.

the exact functions which, according to national laws, regulations and

administrative provisions, qualify as prominent public functions for the

purposes of point (9) of Article 3. Member States shall request each

international organisation accredited on their territories to issue and keep

up to date a list of prominent public functions at that international

organisation for the purposes of point (9) of Article 3. Those lists

shall be sent to the Commission and may be made public.

2.

The Commission shall compile and keep up to date the list of the

exact functions which qualify as prominent public functions at the level

of Union institutions and bodies. That list shall also include any

function which may be entrusted to representatives of third countries

and of international bodies accredited at Union level.

3.

The Commission shall assemble, based on the lists provided for in

paragraphs 1 and 2 of this Article, a single list of all prominent public

functions for the purposes of point (9) of Article 3. That single list shall

be made public.

4.

Functions included in the list referred to in paragraph 3 of this

Article shall be dealt with in accordance with the conditions laid down

in Article 41(2).

▼B

Article 21

Member States shall require obliged entities to take reasonable measures

to determine whether the beneficiaries of

a

life or other

investment-related insurance policy and/or, where required, the

beneficial owner of the beneficiary are politically exposed persons.

Those measures shall be taken no later than at the time of the payout

or at the time of the assignment, in whole or in part, of the policy.

Where there are higher risks identified, in addition to applying the

customer due diligence measures laid down in Article 13, Member

States shall require obliged entities to:

(a) inform senior management before payout of policy proceeds;

(b) conduct enhanced scrutiny of the entire business relationship with

the policyholder.

Article 22

Where a politically exposed person is no longer entrusted with a

prominent public function by a Member State or a third country, or

with a prominent public function by an international organisation,

obliged entities shall, for at least 12 months, be required to take into

account the continuing risk posed by that person and to apply appro-

priate and risk-sensitive measures until such time as that person is

deemed to pose no further risk specific to politically exposed persons.

02015L0849 — EN — 30.12.2024 — 004.001 — 29

▼B

Article 23

The measures referred to in Articles 20 and 21 shall also apply to

family members or persons known to be close associates of politically

exposed persons.

Article 24

Member States shall prohibit credit institutions and financial institutions

from entering into, or continuing, a correspondent relationship with a

shell bank. They shall require that those institutions take appropriate

measures to ensure that they do not engage in or continue correspondent

relationships with a credit institution or financial institution that is

known to allow its accounts to be used by a shell bank.

▼M3

Article 24a

By 1 January 2024, EBA shall issue guidelines specifying how the

enhanced customer due diligence measures in this Section apply when

obliged entities perform crypto-asset services as defined in Article 3(1),

point (16), of Regulation (EU) 2023/1114, with the exception of

point (h) of that point, as well as transfers of crypto-assets as defined

in Article 3, point (10), of Regulation (EU) 2023/1113. In particular,

EBA shall specify how and when those obliged entities shall obtain

additional information on the originator and beneficiary.

▼B

SECTION 4

Performance by third parties

Article 25

Member States may permit obliged entities to rely on third parties to

meet the customer due diligence requirements laid down in points (a),

(b) and (c) of the first subparagraph of Article 13(1). However, the

ultimate responsibility for meeting those requirements shall remain

with the obliged entity which relies on the third party.

Article 26

1.

For the purposes of this Section, ‘third parties’ means obliged

entities listed in Article 2, the member organisations or federations of

those obliged entities, or other institutions or persons situated in a

Member State or third country that:

(a) apply customer due diligence requirements and record-keeping

requirements that are consistent with those laid down in this

Directive; and

(b) have their compliance with the requirements of this Directive

supervised in a manner consistent with Section 2 of Chapter VI.

02015L0849 — EN — 30.12.2024 — 004.001 — 30

▼B

2.

Member States shall prohibit obliged entities from relying on third

parties established in high-risk third countries. Member States may

exempt branches and majority-owned subsidiaries of obliged entities

established in the Union from that prohibition where those branches

and majority-owned subsidiaries fully comply with the group-wide

policies and procedures in accordance with Article 45.

Article 27

1.

Member States shall ensure that obliged entities obtain from the

third party relied upon the necessary information concerning the

customer due diligence requirements laid down in points (a), (b) and

(c) of the first subparagraph of Article 13(1).

▼M1

2.

Member States shall ensure that obliged entities to which the

customer is referred take adequate steps to ensure that the third party

provides immediately, upon request, relevant copies of identification

and verification data, including, where available, data obtained

through electronic identification means, relevant trust services as set

out in Regulation (EU) No 910/2014, or any other secure, remote or

electronic, identification process regulated, recognised, approved or

accepted by the relevant national authorities.

▼B

Article 28

Member States shall ensure that the competent authority of the home

Member State (for group-wide policies and procedures) and the

competent authority of the host Member State (for branches and

subsidiaries) may consider an obliged entity to comply with the

provisions adopted pursuant to Articles 26 and 27 through its group

programme, where all of the following conditions are met:

(a) the obliged entity relies on information provided by a third party

that is part of the same group;

(b) that group applies customer due diligence measures, rules on

record-keeping and programmes against money laundering and

terrorist financing in accordance with this Directive or equivalent

rules;

(c) the effective implementation of the requirements referred to in

point (b) is supervised at group level by a competent authority of

the home Member State or of the third country.

Article 29

This Section shall not apply to outsourcing or agency relationships

where, on the basis of a contractual arrangement, the outsourcing

service provider or agent is to be regarded as part of the obliged entity.

02015L0849 — EN — 30.12.2024 — 004.001 — 31

▼B

CHAPTER III

BENEFICIAL OWNERSHIP INFORMATION

Article 30

1.

►M1 Member States shall ensure that corporate and other legal

entities incorporated within their territory are required to obtain and

hold adequate, accurate and current information on their beneficial

ownership, including the details of the beneficial interests held.

Member States shall ensure that breaches of this Article are subject to

effective, proportionate and dissuasive measures or sanctions. ◄

Member States shall ensure that those entities are required to provide, in

addition to information about their legal owner, information on the

beneficial owner to obliged entities when the obliged entities are

taking customer due diligence measures in accordance with Chapter II.

▼M1

Member States shall require that the beneficial owners of corporate or

other legal entities, including through shares, voting rights, ownership

interest, bearer shareholdings or control via other means, provide those

entities with all the information necessary for the corporate or other

legal entity to comply with the requirements in the first subparagraph.

▼B

2.

Member States shall require that the information referred to in

paragraph 1 can be accessed in a timely manner by competent auth-

orities and FIUs.

3.

Member States shall ensure that the information referred to in

paragraph 1 is held in a central register in each Member State, for

example a commercial register, companies register as referred to in

Article 3 of Directive 2009/101/EC of the European Parliament and

of the Council (¹), or a public register. Member States shall notify to

the Commission the characteristics of those national mechanisms. The

information on beneficial ownership contained in that database may be

collected in accordance with national systems.

▼M1

4.

Member States shall require that the information held in the

central register referred to in paragraph 3 is adequate, accurate and

current, and shall put in place mechanisms to this effect. Such

mechanisms shall include requiring obliged entities and, if appropriate

and to the extent that this requirement does not interfere unnecessarily

with their functions, competent authorities to report any discrepancies

they find between the beneficial ownership information available in the

central registers and the beneficial ownership information available to

them. In the case of reported discrepancies, Member States shall ensure

that appropriate actions be taken to resolve the discrepancies in a timely

manner and, if appropriate, a specific mention be included in the central

register in the meantime.

(¹) Directive 2009/101/EC of the European Parliament and of the Council of

16 September 2009 on coordination of safeguards which, for the protection

of the interests of members and third parties, are required by Member States

of companies within the meaning of the second paragraph of Article 48 of the

Treaty, with a view to making such safeguards equivalent (OJ L 258,

1.10.2009, p. 11).

02015L0849 — EN — 30.12.2024 — 004.001 — 32

▼M4

5.

Member States shall ensure that the information on the beneficial

ownership is accessible in all cases to:

(a) competent authorities and FIUs, without any restriction;

(b) obliged entities, within the framework of customer due diligence in

accordance with Chapter II;

(c) any person or organisation that can demonstrate a legitimate

interest.

The persons or organisations referred to in point (c) of the first sub-

paragraph shall be permitted to access at least the name, the month and

year of birth and the country of residence and nationality of the

beneficial owner as well as the nature and extent of the beneficial

interest held.

▼M1

Member States may, under conditions to be determined in national law,

provide for access to additional information enabling the identification

of the beneficial owner. That additional information shall include at

least the date of birth or contact details in accordance with data

protection rules.

5a.

Member States may choose to make the information held in their

national registers referred to in paragraph 3 available on the condition of

online registration and the payment of a fee, which shall not exceed the

administrative costs of making the information available, including costs

of maintenance and developments of the register.

6.

Member States shall ensure that competent authorities and FIUs

have timely and unrestricted access to all information held in the central

register referred to in paragraph 3 without alerting the entity concerned.

Member States shall also allow timely access by obliged entities when

taking customer due diligence measures in accordance with Chapter II.

Competent authorities granted access to the central register referred to in

paragraph 3 shall be those public authorities with designated responsi-

bilities for combating money laundering or terrorist financing, as well as

tax authorities, supervisors of obliged entities and authorities that have

the function of investigating or prosecuting money laundering, associ-

ated predicate offences and terrorist financing, tracing and seizing or

freezing and confiscating criminal assets.

7.

Member States shall ensure that competent authorities and FIUs

are able to provide the information referred to in paragraphs 1 and 3 to

the competent authorities and to the FIUs of other Member States in a

timely manner and free of charge.

▼B

8.

Member States shall require that obliged entities do not rely

exclusively on the central register referred to in paragraph 3 to fulfil

their customer due diligence requirements in accordance with Chapter

II. Those requirements shall be fulfilled by using a risk-based approach.

02015L0849 — EN — 30.12.2024 — 004.001 — 33

▼M1

9.

In exceptional circumstances to be laid down in national law,

where the access referred to in points (b) and (c) of the first subpara-

graph of paragraph 5 would expose the beneficial owner to dispropor-

tionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment,

violence or intimidation, or where the beneficial owner is a minor or

otherwise legally incapable, Member States may provide for an

exemption from such access to all or part of the information on the

beneficial ownership on a case-by-case basis. Member States shall

ensure that these exemptions are granted upon a detailed evaluation

of the exceptional nature of the circumstances. Rights to an administra-

tive review of the exemption decision and to an effective judicial

remedy shall be guaranteed. A Member State that has granted

exemptions shall publish annual statistical data on the number of

exemptions granted and reasons stated and report the data to the

Commission.

Exemptions granted pursuant to the first subparagraph of this paragraph

shall not apply to credit institutions and financial institutions, or to the

obliged entities referred to in point (3)(b) of Article 2(1) that are public

officials.

10.

Member States shall ensure that the central registers referred to in

paragraph 3 of this Article are interconnected via the European Central

Platform established by Article 22(1) of Directive (EU) 2017/1132 of

the European Parliament and of the Council (¹). The connection of the

Member States’ central registers to the platform shall be set up in

accordance with the technical specifications and procedures established

by implementing acts adopted by the Commission in accordance with

Article 24 of Directive (EU) 2017/1132 and with Article 31a of this

Directive.

Member States shall ensure that the information referred to in paragraph

1 of this Article is available through the system of interconnection of

registers established by Article 22(1) of Directive (EU) 2017/1132, in

accordance with Member States’ national laws implementing paragraphs

5, 5a and 6 of this Article.

The information referred to in paragraph 1 shall be available through the

national registers and through the system of interconnection of registers

for at least five years and no more than 10 years after the corporate or

other legal entity has been struck off from the register. Member States

shall cooperate among themselves and with the Commission in order to

implement the different types of access in accordance with this Article.

▼B

Article 31

▼M1

1.

Member States shall ensure that this Article applies to trusts and

other types of legal arrangements, such as, inter alia, fiducie, certain

types of Treuhand or fideicomiso, where such arrangements have a

structure or functions similar to trusts. Member States shall identify

the characteristics to determine where legal arrangements have a

structure or functions similar to trusts with regard to such legal

arrangements governed under their law.

(¹) Directive (EU) 2017/1132 of the European Parliament and of the Council of

14 June 2017 relating to certain aspects of company law (OJ L 169,

30.6.2017, p. 46).

02015L0849 — EN — 30.12.2024 — 004.001 — 34

▼M1

Each Member State shall require that trustees of any express trust

administered in that Member State obtain and hold adequate, accurate

and up-to-date information on beneficial ownership regarding the trust.

That information shall include the identity of:

(a) the settlor(s);

(b) the trustee(s);

(c) the protector(s) (if any);

(d) the beneficiaries or class of beneficiaries;

(e) any other natural person exercising effective control of the trust.

Member States shall ensure that breaches of this Article are subject to

effective, proportionate and dissuasive measures or sanctions.

2.

Member States shall ensure that trustees or persons holding

equivalent positions in similar legal arrangements as referred to in

paragraph 1 of this Article, disclose their status and provide the

information referred to in paragraph 1 of this Article to obliged

entities in a timely manner, where, as a trustee or as person holding

an equivalent position in a similar legal arrangement, they form a

business relationship or carry out an occasional transaction above the

thresholds set out in points (b), (c) and (d) of Article 11.

▼B

3.

Member States shall require that the information referred to in

paragraph 1 can be accessed in a timely manner by competent auth-

orities and FIUs.

▼M1

3a.

Member States shall require that the beneficial ownership

information of express trusts and similar legal arrangements as

referred to in paragraph 1 shall be held in a central beneficial

ownership register set up by the Member State where the trustee of

the trust or person holding an equivalent position in a similar legal

arrangement is established or resides.

Where the place of establishment or residence of the trustee of the trust

or person holding an equivalent position in similar legal arrangement is

outside the Union, the information referred to in paragraph 1 shall be

held in a central register set up by the Member State where the trustee

of the trust or person holding an equivalent position in a similar legal

arrangement enters into a business relationship or acquires real estate in

the name of the trust or similar legal arrangement.

Where the trustees of a trust or persons holding equivalent positions in a

similar legal arrangement are established or reside in different Member

States, or where the trustee of the trust or person holding an equivalent

position in a similar legal arrangement enters into multiple business

relationships in the name of the trust or similar legal arrangement in

different Member States, a certificate of proof of registration or an

excerpt of the beneficial ownership information held in a register by

one Member State may be considered as sufficient to consider the

registration obligation fulfilled.

02015L0849 — EN — 30.12.2024 — 004.001 — 35

▼M4

4.

Member States shall ensure that the information on the beneficial

ownership of a trust or a similar legal arrangement is accessible in all

cases to:

(a) competent authorities and FIUs, without any restriction;

(b) obliged entities, within the framework of customer due diligence in

accordance with Chapter II;

(c) any natural or legal person that can demonstrate a legitimate interest

to access beneficial ownership information.

The information accessible to natural or legal persons referred to in

point (c) of the first subparagraph shall consist of the name, the

month and year of birth and the country of residence and nationality

of the beneficial owner, as well as nature and extent of beneficial

interest held.

▼M1

Member States may, under conditions to be determined in national law,

provide for access of additional information enabling the identification

of the beneficial owner That additional information shall include at least

the date of birth or contact details, in accordance with data protection

rules. Member States may allow for wider access to the information

held in the register in accordance with their national law.

Competent authorities granted access to the central register referred to in

paragraph 3a shall be public authorities with designated responsibilities

for combating money laundering or terrorist financing, as well as tax

authorities, supervisors of obliged entities and authorities that have the

function of investigating or prosecuting money laundering, associated

predicate offences and terrorist financing, tracing, and seizing or

freezing and confiscating criminal assets.

4a.

Member States may choose to make the information held in their

national registers referred to in paragraph 3a available on the condition

of online registration and the payment of a fee, which shall not exceed

the administrative costs of making the information available, including

costs of maintenance and developments of the register.

5.

Member States shall require that the information held in the

central register referred to in paragraph 3a is adequate, accurate and

current, and shall put in place mechanisms to this effect. Such

mechanisms shall include requiring obliged entities and, if appropriate

and to the extent that this requirement does not interfere unnecessarily

with their functions, competent authorities to report any discrepancies

they find between the beneficial ownership information available in the

central registers and the beneficial ownership information available to

them. In the case of reported discrepancies Member States shall ensure

that appropriate actions be taken to resolve the discrepancies in a timely

manner and, if appropriate, a specific mention be included in the central

register in the meantime.

▼B

6.

Member States shall ensure that obliged entities do not rely

exclusively on the central register referred to in paragraph 4 to fulfil

their customer due diligence requirements as laid down in Chapter II.

Those requirements shall be fulfilled by using a risk-based approach.

02015L0849 — EN — 30.12.2024 — 004.001 — 36

▼M1

7.

Member States shall ensure that competent authorities and FIUs

are able to provide the information referred to in paragraphs 1 and 3 to

the competent authorities and to the FIUs of other Member States in a

timely manner and free of charge.

7a.

In exceptional circumstances to be laid down in national law,

where the access referred to in points (b), (c) and (d) of the first

subparagraph of paragraph 4 would expose the beneficial owner to

disproportionate risk, risk of fraud, kidnapping, blackmail, extortion,

harassment, violence or intimidation, or where the beneficial owner is

a minor or otherwise legally incapable, Member States may provide for

an exemption from such access to all or part of the information on the

beneficial ownership on a case-by-case basis. Member States shall

ensure that these exemptions are granted upon a detailed evaluation

of the exceptional nature of the circumstances. Rights to an administra-

tive review of the exemption decision and to an effective judicial

remedy shall be guaranteed. A Member State that has granted

exemptions shall publish annual statistical data on the number of

exemptions granted and reasons stated and report the data to the

Commission.

Exemptions granted pursuant to the first subparagraph shall not apply to

the credit institutions and financial institutions, and to obliged entities

referred to in point (3)(b) of Article 2(1) that are public officials.

Where a Member State decides to establish an exemption in accordance

with the first subparagraph, it shall not restrict access to information by

competent authorities and FIUs.

__________

9.

Member States shall ensure that the central registers referred to in

paragraph 3a of this Article are interconnected via the European Central

Platform established by Article 22(1) of Directive (EU) 2017/1132. The

connection of the Member States’ central registers to the platform shall

be set up in accordance with the technical specifications and procedures

established by implementing acts adopted by the Commission in

accordance with Article 24 of Directive (EU) 2017/1132 and with

Article 31a of this Directive.

Member States shall ensure that the information referred to in paragraph

1 of this Article is available through the system of interconnection of

registers established by Article 22(2) of Directive (EU) 2017/1132, in

accordance with Member States’ national laws implementing paragraphs

4 and 5 of this Article.

Member States shall take adequate measures to ensure that only the

information referred to in paragraph 1 that is up to date and corresponds

to the actual beneficial ownership is made available through their

national registers and through the system of interconnection of registers,

and the access to that information shall be in accordance with data

protection rules.

The information referred to in paragraph 1 shall be available through the

national registers and through the system of interconnection of registers

for at least five years and no more than 10 years after the grounds for

registering the beneficial ownership information as referred to in

paragraph 3a have ceased to exist. Member States shall cooperate

with the Commission in order to implement the different types of

access in accordance with paragraphs 4 and 4a.

02015L0849 — EN — 30.12.2024 — 004.001 — 37

▼M1

10.

Member States shall notify to the Commission the categories,

description of the characteristics, names and, where applicable, legal

basis of the trusts and similar legal arrangements referred to in

paragraph 1 by 10 July 2019. The Commission shall publish the

consolidated list of such trusts and similar legal arrangements in the

Official Journal of the European Union by 10 September 2019.

By 26 June 2020, the Commission shall submit a report to the European

Parliament and to the Council assessing whether all trusts and similar

legal arrangements as referred to in paragraph 1 governed under the law

of Member States were duly identified and made subject to the obli-

gations as set out in this Directive. Where appropriate, the Commission

shall take the necessary steps to act upon the findings of that report.

Article 31a

Implementing acts

Where necessary in addition to the implementing acts adopted by the

Commission in accordance with Article 24 of Directive (EU) 2017/1132

and in accordance with the scope of Article 30 and 31 of this Directive,

the Commission shall adopt by means of implementing acts technical

specifications and procedures necessary to provide for the intercon-

nection of Member States’ central registers as referred to in

Article 30(10) and Article 31(9), with regard to:

(a) the technical specification defining the set of the technical data

necessary for the platform to perform its functions as well as the

method of storage, use and protection of such data;

(b) the common criteria according to which beneficial ownership

information is available through the system of interconnection of

registers, depending on the level of access granted by Member

States;

(c) the technical details on how the information on beneficial owners is

to be made available;

(d) the technical conditions of availability of services provided by the

system of interconnection of registers;

(e) the technical modalities how to implement the different types of

access to information on beneficial ownership based on Article 30(5)

and Article 31(4);

(f) the payment modalities where access to beneficial ownership

information is subject to the payment of a fee according to

Article 30(5a) and Article 31(4a) taking into account available

payment facilities such as remote payment transactions.

Those implementing acts shall be adopted in accordance with the exa-

mination procedure referred to in Article 64a(2).

02015L0849 — EN — 30.12.2024 — 004.001 — 38

▼M1

In its implementing acts, the Commission shall strive to reuse proven

technology and existing practices. The Commission shall ensure that the

systems to be developed shall not incur costs above what is absolutely

necessary in order to implement this Directive. The Commission’s im-

plementing acts shall be characterised by transparency and the exchange

of experiences and information between the Commission and the

Member States.

▼B

CHAPTER IV

REPORTING OBLIGATIONS

SECTION 1

General provisions

Article 32

1.

Each Member State shall establish an FIU in order to prevent,

detect and effectively combat money laundering and terrorist financing.

2.

Member States shall notify the Commission in writing of the name

and address of their respective FIUs.

3.

Each FIU shall be operationally independent and autonomous,

which means that the FIU shall have the authority and capacity to

carry out its functions freely, including the ability to take autonomous

decisions to analyse, request and disseminate specific information. The

FIU as the central national unit shall be responsible for receiving and

analysing suspicious transaction reports and other information relevant

to money laundering, associated predicate offences or terrorist financing.

The FIU shall be responsible for disseminating the results of its analyses

and any additional relevant information to the competent authorities

where there are grounds to suspect money laundering, associated

predicate offences or terrorist financing. It shall be able to obtain ad-

ditional information from obliged entities.

Member States shall provide their FIUs with adequate financial, human

and technical resources in order to fulfil their tasks.

4.

Member States shall ensure that their FIUs have access, directly or

indirectly, in a timely manner, to the financial, administrative and law

enforcement information that they require to fulfil their tasks properly.

FIUs shall be able to respond to requests for information by competent

authorities in their respective Member States when such requests for

information are motivated by concerns relating to money laundering,

associated predicate offences or terrorist financing. The decision on

conducting the analysis or dissemination of information shall remain

with the FIU.

02015L0849 — EN — 30.12.2024 — 004.001 — 39

▼B

5.

Where there are objective grounds for assuming that the provision

of such information would have a negative impact on ongoing investi-

gations or analyses, or, in exceptional circumstances, where disclosure

of the information would be clearly disproportionate to the legitimate

interests of a natural or legal person or irrelevant with regard to the

purposes for which it has been requested, the FIU shall be under no

obligation to comply with the request for information.

6.

Member States shall require competent authorities to provide

feedback to the FIU about the use made of the information provided

in accordance with this Article and about the outcome of the investi-

gations or inspections performed on the basis of that information.

7.

Member States shall ensure that the FIU is empowered to take

urgent action, directly or indirectly, where there is a suspicion that a

transaction is related to money laundering or terrorist financing, to

suspend or withhold consent to a transaction that is proceeding, in

order to analyse the transaction, confirm the suspicion and disseminate

the results of the analysis to the competent authorities. The FIU shall be

empowered to take such action, directly or indirectly, at the request of

an FIU from another Member State for the periods and under the

conditions specified in the national law of the FIU receiving the request.

8.

The FIU's analysis function shall consist of the following:

(a) an operational analysis which focuses on individual cases and

specific targets or on appropriate selected information, depending

on the type and volume of the disclosures received and the expected

use of the information after dissemination; and

(b) a strategic analysis addressing money laundering and terrorist

financing trends and patterns.

▼M1

9.

Without prejudice to Article 34(2), in the context of its functions,

each FIU shall be able to request, obtain and use information from any

obliged entity for the purpose set in paragraph 1 of this Article, even if

no prior report is filed pursuant to Article 33(1)(a) or 34(1).

Article 32a

1.

Member States shall put in place centralised automated

mechanisms, such as central registries or central electronic data

retrieval systems, which allow the identification, in a timely manner,

of any natural or legal persons holding or controlling payment accounts

and bank accounts identified by IBAN, as defined by Regulation (EU)

No 260/2012 of the European Parliament and of the Council (¹), and

safe-deposit boxes held by a credit institution within their territory.

Member States shall notify the Commission of the characteristics of

those national mechanisms.

(¹) Regulation (EU) No 260/2012 of the European Parliament and of the Council

of 14 March 2012 establishing technical and business requirements for credit

transfers and direct debits in euro and amending Regulation (EC)

No 924/2009 (OJ L 94, 30.3.2012, p. 22).

02015L0849 — EN — 30.12.2024 — 004.001 — 40

▼M1

2.

Member States shall ensure that the information held in the

centralised mechanisms referred to in paragraph 1 of this Article is

directly accessible in an immediate and unfiltered manner to national

FIUs. The information shall also be accessible to national competent

authorities for fulfilling their obligations under this Directive. Member

States shall ensure that any FIU is able to provide information held in

the centralised mechanisms referred to in paragraph 1 of this Article to

any other FIUs in a timely manner in accordance with Article 53.

3.

The following information shall be accessible and searchable

through the centralised mechanisms referred to in paragraph 1:

— for the customer-account holder and any person purporting to act on

behalf of the customer: the name, complemented by either the other

identification data required under the national provisions transposing

point (a) of Article 13(1) or a unique identification number;

— for the beneficial owner of the customer-account holder: the name,

complemented by either the other identification data required under

the national provisions transposing point (b) of Article 13(1) or a

unique identification number;

— for the bank or payment account: the IBAN number and the date of

account opening and closing;

— for the safe-deposit box: name of the lessee complemented by either

the other identification data required under the national provisions

transposing Article 13(1) or a unique identification number and the

duration of the lease period.

4.

Member States may consider requiring other information deemed

essential for FIUs and competent authorities for fulfilling their obli-

gations under this Directive to be accessible and searchable through

the centralised mechanisms.

5.

By 26 June 2020, the Commission shall submit a report to the

European Parliament and to the Council assessing the conditions and the

technical specifications and procedures for ensuring secure and efficient

interconnection of the centralised automated mechanisms. Where appro-

priate, that report shall be accompanied by a legislative proposal.

Article 32b

1.

Member States shall provide FIUs and competent authorities with

access to information which allows the identification in a timely manner

of any natural or legal persons owning real estate, including through

registers or electronic data retrieval systems where such registers or

systems are available.

2.

By 31 December 2020, the Commission shall submit a report to

the European Parliament and to the Council assessing the necessity and

proportionality of harmonising the information included in the registers

and assessing the need for the interconnection of those registers. Where

appropriate, that report shall be accompanied by a legislative proposal.

02015L0849 — EN — 30.12.2024 — 004.001 — 41

▼B

Article 33

Member States shall require obliged entities, and, where

1.

applicable, their directors and employees, to cooperate fully by

promptly:

(a) informing the FIU, including by filing a report, on their own

initiative, where the obliged entity knows, suspects or has

reasonable grounds to suspect that funds, regardless of the amount

involved, are the proceeds of criminal activity or are related to

terrorist financing, and by promptly responding to requests by the

FIU for additional information in such cases; and

▼M1

(b) providing the FIU directly, at its request, with all necessary

information.

▼B

All suspicious transactions, including attempted transactions, shall be

reported.

2.

The person appointed in accordance with point (a) of Article 8(4)

shall transmit the information referred to in paragraph 1 of this Article

to the FIU of the Member State in whose territory the obliged entity

transmitting the information is established.

Article 34

1.

By way of derogation from Article 33(1), Member States may, in

the case of obliged entities referred to in point (3)(a), (b) and (d) of

Article 2(1), designate an appropriate self-regulatory body of the

profession concerned as the authority to receive the information

referred to in Article 33(1).

Without prejudice to paragraph 2, the designated self-regulatory body

shall, in cases referred to in the first subparagraph of this paragraph,

forward the information to the FIU promptly and unfiltered.

2.

Member States shall not apply the obligations laid down in

Article 33(1) to notaries, other independent legal professionals,

auditors, external accountants and tax advisors only to the strict

extent that such exemption relates to information that they receive

from, or obtain on, one of their clients, in the course of ascertaining

the legal position of their client, or performing their task of defending or

representing that client in, or concerning, judicial proceedings, including

providing advice on instituting or avoiding such proceedings, whether

such information is received or obtained before, during or after such

proceedings.

▼M1

3.

Self-regulatory bodies designated by Member States shall publish

an annual report containing information about:

(a) measures taken under Articles 58, 59 and 60;

(b) number of reports of breaches received as referred to in Article 61,

where applicable;

02015L0849 — EN — 30.12.2024 — 004.001 — 42

▼M1

(c) number of reports received by the self-regulatory body as referred to

in paragraph 1 and the number of reports forwarded by the

self-regulatory body to the FIU where applicable;

(d) where applicable number and description of measures carried out

under Article 47 and 48 to monitor compliance by obliged entities

with their obligations under:

(i) Articles 10 to 24 (customer due diligence);

(ii) Articles 33, 34 and 35 (suspicious transaction reporting);

(iii) Article 40 (record-keeping); and

(iv) Articles 45 and 46 (internal controls).

▼B

Article 35

1.

Member States shall require obliged entities to refrain from

carrying out transactions which they know or suspect to be related to

proceeds of criminal activity or to terrorist financing until they have

completed the necessary action in accordance with point (a) of the first

subparagraph of Article 33(1) and have complied with any further

specific instructions from the FIU or the competent authorities in

accordance with the law of the relevant Member State.

2.

Where refraining from carrying out transactions referred to in

paragraph 1 is impossible or is likely to frustrate efforts to pursue the

beneficiaries of a suspected operation, the obliged entities concerned

shall inform the FIU immediately afterwards.

Article 36

1.

Member States shall ensure that if, in the course of checks carried

out on the obliged entities by the competent authorities referred to in

Article 48, or in any other way, those authorities discover facts that

could be related to money laundering or to terrorist financing, they shall

promptly inform the FIU.

2.

Member States shall ensure that supervisory bodies empowered by

law or regulation to oversee the stock, foreign exchange and financial

derivatives markets inform the FIU if they discover facts that could be

related to money laundering or terrorist financing.

Article 37

Disclosure of information in good faith by an obliged entity or by an

employee or director of such an obliged entity in accordance with

Articles 33 and 34 shall not constitute a breach of any restriction on

disclosure of information imposed by contract or by any legislative,

regulatory or administrative provision, and shall not involve the

obliged entity or its directors or employees in liability of any kind

even in circumstances where they were not precisely aware of the

underlying criminal activity and regardless of whether illegal activity

actually occurred.

02015L0849 — EN — 30.12.2024 — 004.001 — 43

▼M1

Article 38

Member States shall ensure that individuals, including employees

1.

and representatives of the obliged entity who report suspicions of

money laundering or terrorist financing internally or to the FIU, are

legally protected from being exposed to threats, retaliatory or hostile

action, and in particular from adverse or discriminatory employment

actions.

2.

Member States shall ensure that individuals who are exposed to

threats, retaliatory or hostile actions, or adverse or discriminatory

employment actions for reporting suspicions of money laundering or

terrorist financing internally or to the FIU are entitled to present a

complaint in a safe manner to the respective competent authorities.

Without prejudice to the confidentiality of information gathered by

the FIU, Member States shall also ensure that such individuals have

the right to an effective remedy to safeguard their rights under this

paragraph.

▼B

SECTION 2

Prohibition of disclosure

Article 39

1.

Obliged entities and their directors and employees shall not

disclose to the customer concerned or to other third persons the fact

that information is being, will be or has been transmitted in accordance

with Article 33 or 34 or that a money laundering or terrorist financing

analysis is being, or may be, carried out.

2.

The prohibition laid down in paragraph 1 shall not include

disclosure to the competent authorities, including the self-regulatory

bodies, or disclosure for law enforcement purposes.

▼M1

3.

The prohibition laid down in paragraph 1 of this Article shall not

prevent disclosure between the credit institutions and financial insti-

tutions from the Member States provided that they belong to the

same group, or between those entities and their branches and majority

owned subsidiaries established in third countries, provided that those

branches and majority-owned subsidiaries fully comply with the

group-wide policies and procedures, including procedures for sharing

information within the group, in accordance with Article 45, and that

the group-wide policies and procedures comply with the requirements

set out in this Directive.

▼B

4.

The prohibition laid down in paragraph 1 shall not prevent

disclosure between the obliged entities as referred to in point (3)(a)

and (b) of Article 2(1), or entities from third countries which impose

requirements equivalent to those laid down in this Directive, who

perform their professional activities, whether as employees or not,

within the same legal person or a larger structure to which the person

belongs and which shares common ownership, management or

compliance control.

02015L0849 — EN — 30.12.2024 — 004.001 — 44

▼B

5.

For obliged entities referred to in points (1), (2), (3)(a) and (b) of

Article 2(1) in cases relating to the same customer and the same trans-

action involving two or more obliged entities, the prohibition laid down

in paragraph 1 of this Article shall not prevent disclosure between the

relevant obliged entities provided that they are from a Member State, or

entities in a third country which imposes requirements equivalent to

those laid down in this Directive, and that they are from the same

professional category and are subject to obligations as regards profes-

sional secrecy and personal data protection.

6.

Where the obliged entities referred to in point (3)(a) and (b) of

Article 2(1) seek to dissuade a client from engaging in illegal activity,

that shall not constitute disclosure within the meaning of paragraph 1 of

this Article.

CHAPTER V

DATA PROTECTION, RECORD-RETENTION AND STATISTICAL

DATA

Article 40

1.

Member States shall require obliged entities to retain the following

documents and information in accordance with national law for the

purpose of preventing, detecting and investigating, by the FIU or by

other competent authorities, possible money laundering or terrorist

financing:

▼M1

(a) in the case of customer due diligence, a copy of the documents and

information which are necessary to comply with the customer due

diligence requirements laid down in Chapter II, including, where

available, information obtained through electronic identification

means, relevant trust services as set out in Regulation (EU)

No 910/2014 or any other secure, remote or electronic, identifi-

cation process regulated, recognised, approved or accepted by the

relevant national authorities, for a period of five years after the end

of the business relationship with their customer or after the date of

an occasional transaction;

▼B

(b) the supporting evidence and records of transactions, consisting of

the original documents or copies admissible in judicial proceedings

under the applicable national law, which are necessary to identify

transactions, for a period of five years after the end of a business

relationship with their customer or after the date of an occasional

transaction.

Upon expiry of the retention periods referred to in the first

subparagraph, Member States shall ensure that obliged entities delete

personal data, unless otherwise provided for by national law, which

shall determine under which circumstances obliged entities may or

shall further retain data. Member States may allow or require further

retention after they have carried out a thorough assessment of the

necessity and proportionality of such further retention and consider it

to be justified as necessary for the prevention, detection or investigation

of money laundering or terrorist financing. That further retention period

shall not exceed five additional years.

02015L0849 — EN — 30.12.2024 — 004.001 — 45

▼M1

The retention period referred to in this paragraph, including the further

retention period that shall not exceed five additional years, shall also

apply in respect of the data accessible through the centralised

mechanisms referred to in Article 32a.

▼B

2.

Where, on 25 June 2015, legal proceedings concerned with the

prevention, detection, investigation or prosecution of suspected money

laundering or terrorist financing are pending in a Member State, and an

obliged entity holds information or documents relating to those pending

proceedings, the obliged entity may retain that information or those

documents, in accordance with national law, for a period of five

years from 25 June 2015. Member States may, without prejudice to

national criminal law on evidence applicable to ongoing criminal inves-

tigations and legal proceedings, allow or require the retention of such

information or documents for a further period of five years where the

necessity and proportionality of such further retention has been estab-

lished for the prevention, detection, investigation or prosecution of

suspected money laundering or terrorist financing.

Article 41

▼M2

1.

The processing of personal data under this Directive is subject to

Regulations (EU) 2016/679 (¹) and (EU) 2018/1725 (²) of the European

Parliament and of the Council.

▼B

2.

Personal data shall be processed by obliged entities on the basis of

this Directive only for the purposes of the prevention of money laun-

dering and terrorist financing as referred to in Article 1 and shall not be

further processed in a way that is incompatible with those purposes. The

processing of personal data on the basis of this Directive for any other

purposes, such as commercial purposes, shall be prohibited.

3.

Obliged entities shall provide new clients with the information

required pursuant to Article 10 of Directive 95/46/EC before estab-

lishing a business relationship or carrying out an occasional transaction.

That information shall, in particular, include a general notice concerning

the legal obligations of obliged entities under this Directive to process

personal data for the purposes of the prevention of money laundering

and terrorist financing as referred to in Article 1 of this Directive.

(¹) Regulation (EU) 2016/679 of the European Parliament and of the Council of

27 April 2016 on the protection of natural persons with regard to the

processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119,

4.5.2016, p. 1).

(²) Regulation (EU) 2018/1725 of the European Parliament and of the Council of

23 October 2018 on the protection of natural persons with regard to the

processing of personal data by the Union institutions, bodies, offices and

agencies and on the free movement of such data, and repealing

Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295,

21.11.2018, p. 39).

02015L0849 — EN — 30.12.2024 — 004.001 — 46

▼B

4.

In applying the prohibition of disclosure laid down in Article 39(1),

Member States shall adopt legislative measures restricting, in whole or

in part, the data subject's right of access to personal data relating to him

or her to the extent that such partial or complete restriction constitutes a

necessary and proportionate measure in a democratic society with due

regard for the legitimate interests of the person concerned to:

(a) enable the obliged entity or competent national authority to fulfil its

tasks properly for the purposes of this Directive; or

(b) avoid obstructing official or legal inquiries, analyses, investigations

or procedures for the purposes of this Directive and to ensure that

the prevention, investigation and detection of money laundering and

terrorist financing is not jeopardised.

Article 42

Member States shall require that their obliged entities have systems in

place that enable them to respond fully and speedily to enquiries from

their FIU or from other authorities, in accordance with their national

law, as to whether they are maintaining or have maintained, during

a five-year period prior to that enquiry a business relationship with

specified persons, and on the nature of that relationship, through

secure channels and in a manner that ensures full confidentiality of

the enquiries.

▼M1

Article 43

The processing of personal data on the basis of this Directive for the

purposes of the prevention of money laundering and terrorist financing

as referred to in Article 1 shall be considered to be a matter of public

interest under Regulation (EU) 2016/679 of the European Parliament

and of the Council (¹).

Article 44

1.

Member States shall, for the purposes of contributing to the prep-

aration of risk assessment pursuant to Article 7, ensure that they are able

to review the effectiveness of their systems to combat money laundering

or terrorist financing by maintaining comprehensive statistics on matters

relevant to the effectiveness of such systems.

2.

The statistics referred to in paragraph 1 shall include:

(a) data measuring the size and importance of the different sectors

which fall within the scope of this Directive, including the

number of natural persons and entities and the economic importance

of each sector;

(¹) Regulation (EU) 2016/679 of the European Parliament and of the Council of

27 April 2016 on the protection of natural persons with regard to the

processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation) (OJ

L 119, 4.5.2016, p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 47

▼M1

(b) data measuring the reporting, investigation and judicial phases of

the national AML/CFT regime, including the number of suspicious

transaction reports made to the FIU, the follow-up given to those

reports and, on an annual basis, the number of cases investigated,

the number of persons prosecuted, the number of persons convicted

for money laundering or terrorist financing offences, the types of

predicate offences, where such information is available, and the

value in euro of property that has been frozen, seized or confiscated;

(c) if available, data identifying the number and percentage of reports

resulting in further investigation, together with the annual report to

obliged entities detailing the usefulness and follow-up of the reports

they presented;

(d) data regarding the number of cross-border requests for information

that were made, received, refused and partially or fully answered by

the FIU, broken down by counterpart country;

(e) human resources allocated to competent authorities responsible for

AML/CFT supervision as well as human resources allocated to the

FIU to fulfil the tasks specified in Article 32;

(f) the number of on-site and off-site supervisory actions, the number

of breaches identified on the basis of supervisory actions and

sanctions/administrative measures applied by supervisory

authorities.

3.

Member States shall ensure that a consolidated review of their

statistics is published on an annual basis.

4.

Member States shall transmit annually to the Commission the

statistics referred to in paragraph 2. The Commission shall publish an

annual report summarising and explaining the statistics referred to in

paragraph 2, which shall be made available on its website.

▼B

CHAPTER VI

POLICIES, PROCEDURES AND SUPERVISION

SECTION 1

Internal procedures, training and feedback

Article 45

1.

Member States shall require obliged entities that are part of a

group to implement group-wide policies and procedures, including

data protection policies and policies and procedures for sharing

information within the group for AML/CFT purposes. Those policies

and procedures shall be implemented effectively at the level of branches

and majority-owned subsidiaries in Member States and third countries.

2.

Member States shall require that obliged entities that operate

establishments in another Member State ensure that those establishments

respect the national provisions of that other Member State transposing

this Directive.

02015L0849 — EN — 30.12.2024 — 004.001 — 48

▼B

3.

Member States shall ensure that where obliged entities have

branches or majority-owned subsidiaries located in third countries

where the minimum AML/CFT requirements are less strict than those

of the Member State, their branches and majority-owned subsidiaries

located in the third country implement the requirements of the Member

State, including data protection, to the extent that the third country's law

so allows.

▼M2

4.

The Member States and EBA shall inform each other of instances

in which the law of a third country does not permit the implementation

of the policies and procedures required under paragraph 1. In such cases,

coordinated actions may be taken to pursue a solution. In assessing

which third countries do not permit the implementation of the policies

and procedures required under paragraph 1, Member States and EBA

shall take into account any legal constraints that may hinder the proper

implementation of those policies and procedures, including secrecy, data

protection and other constraints limiting the exchange of information

that may be relevant for that purpose.

▼B

5.

Member States shall require that, where a third country's law does

not permit the implementation of the policies and procedures required

under paragraph 1, obliged entities ensure that branches and

majority-owned subsidiaries in that third country apply additional

measures to effectively handle the risk of money laundering or

terrorist financing, and inform the competent authorities of their home

Member State. If the additional measures are not sufficient, the

competent authorities of the home Member State shall exercise ad-

ditional supervisory actions, including requiring that the group does

not establish or that it terminates business relationships, and does not

undertake transactions and, where necessary, requesting the group to

close down its operations in the third country.

▼M2

6.

EBA shall develop draft regulatory technical standards specifying

the type of additional measures referred to in paragraph 5 and the

minimum action to be taken by credit institutions and financial insti-

tutions where a third country’s law does not permit the implementation

of the measures required under paragraphs 1 and 3.

EBA shall submit the draft regulatory technical standards referred to in

the first subparagraph to the Commission by 26 December 2016.

▼B

7.

Power is delegated to the Commission to adopt the regulatory

technical standards referred to in paragraph 6 of this Article in

accordance with Articles 10 to 14 of Regulations (EU)

No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

8.

Member States shall ensure that the sharing of information within

the group is allowed. Information on suspicions that funds are the

proceeds of criminal activity or are related to terrorist financing

reported to the FIU shall be shared within the group, unless otherwise

instructed by the FIU.

02015L0849 — EN — 30.12.2024 — 004.001 — 49

▼M3

9.

Member States may require electronic money issuers as defined in

Article 2, point (3), of Directive 2009/110/EC, payment service

providers as defined in Article 4, point (11), of Directive (EU)

2015/2366 and crypto-asset service providers established on their

territory in forms other than a branch, and whose head office is

situated in another Member State, to appoint a central contact point in

their territory. That central contact point shall ensure, on behalf of the

entity operating on a cross-border basis, compliance with AML/CFT

rules and shall facilitate supervision by supervisors, including by

providing supervisors with documents and information on request.

▼M2

10.

EBA shall develop draft regulatory technical standards on the

criteria for determining the circumstances in which the appointment of

a central contact point pursuant to paragraph 9 is appropriate, and what

the functions of the central contact points should be.

EBA shall submit the draft regulatory technical standards referred to in

the first subparagraph to the Commission by 26 June 2017.

▼B

11.

Power is delegated to the Commission to adopt the regulatory

technical standards referred to in paragraph 10 of this Article in

accordance with Articles 10 to 14 of Regulations (EU)

No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Article 46

1.

Member States shall require that obliged entities take measures

proportionate to their risks, nature and size so that their employees

are aware of the provisions adopted pursuant to this Directive,

including relevant data protection requirements.

Those measures shall include participation of their employees in special

ongoing training programmes to help them recognise operations which

may be related to money laundering or terrorist financing and to instruct

them as to how to proceed in such cases.

Where a natural person falling within any of the categories listed in

point (3) of Article 2(1) performs professional activities as an employee

of a legal person, the obligations in this Section shall apply to that legal

person rather than to the natural person.

2.

Member States shall ensure that obliged entities have access to

up-to-date information on the practices of money launderers and

financers of terrorism and on indications leading to the recognition of

suspicious transactions.

3.

Member States shall ensure that, where practicable, timely

feedback on the effectiveness of and follow-up to reports of suspected

money laundering or terrorist financing is provided to obliged entities.

02015L0849 — EN — 30.12.2024 — 004.001 — 50

▼B

4.

Member States shall require that, where applicable, obliged entities

identify the member of the management board who is responsible for

the implementation of the laws, regulations and administrative

provisions necessary to comply with this Directive.

SECTION 2

Supervision

Article 47

▼M3

1.

Member States shall ensure that currency exchange and

cheque-cashing offices and trust or company service providers are

licensed or registered, and that providers of gambling services are

regulated.

▼B

2.

Member States shall require competent authorities to ensure that

the persons who hold a management function in the entities referred to

in paragraph 1, or are the beneficial owners of such entities, are fit and

proper persons.

3.

With respect to the obliged entities referred to in point (3)(a), (b)

and (d) of Article 2(1), Member States shall ensure that competent

authorities take the necessary measures to prevent criminals convicted

in relevant areas or their associates from holding a management function

in or being the beneficial owners of those obliged entities.

Article 48

1.

Member States shall require the competent authorities to monitor

effectively, and to take the measures necessary to ensure, compliance

with this Directive.

▼M1

1a.

In order to facilitate and promote effective cooperation, and in

particular the exchange of information, Member States shall

communicate to the Commission the list of competent authorities of

the obliged entities listed in Article 2(1), including their contact

details. Member States shall ensure that the information provided to

the Commission remains updated.

The Commission shall publish a register of those authorities and their

contact details on its website. The authorities in the register shall, within

the scope of their powers, serve as a contact point for the counterpart

competent authorities of the other Member States. ►M2 The financial

supervisory authorities of the Member States shall also serve as a

contact point for EBA. ◄

In order to ensure the adequate enforcement of this Directive, Member

States shall require that all obliged entities are subject to adequate

supervision, including the powers to conduct on-site and off-site super-

vision, and shall take appropriate and proportionate administrative

measures to remedy the situation in the case of breaches.

02015L0849 — EN — 30.12.2024 — 004.001 — 51

▼M1

2.

Member States shall ensure that the competent authorities have

adequate powers, including the power to compel the production of

any information that is relevant to monitoring compliance and

perform checks, and have adequate financial, human and technical

resources to perform their functions. Member States shall ensure that

staff of those authorities are of high integrity and appropriately skilled,

and maintain high professional standards, including standards of confi-

dentiality, data protection and standards addressing conflicts of interest.

▼B

3.

In the case of credit institutions, financial institutions, and

providers of gambling services, competent authorities shall have

enhanced supervisory powers.

▼M1

4.

Member States shall ensure that competent authorities of the

Member State in which the obliged entity operates establishments

supervise the respect by those establishments of the national provisions

of that Member State transposing this Directive.

In the case of credit and financial institutions that are part of a group,

Member States shall ensure that, for the purposes laid down in the first

subparagraph, the competent authorities of the Member State where a

parent undertaking is established cooperate with the competent auth-

orities of the Member States where the establishments that are part of

group are established.

In the case of the establishments referred to in Article 45(9), supervision

as referred to in the first subparagraph of this paragraph may include the

taking of appropriate and proportionate measures to address serious

failings that require immediate remedies. Those measures shall be

temporary and be terminated when the failings identified are addressed,

including with the assistance of or in cooperation with the competent

authorities of the home Member State of the obliged entity, in

accordance with Article 45(2).

▼B

5.

Member States shall ensure that the competent authorities of the

Member State in which the obliged entity operates establishments shall

cooperate with the competent authorities of the Member State in which

the obliged entity has its head office, to ensure effective supervision of

the requirements of this Directive.

▼M1

In the case of credit and financial institutions that are part of a group,

Member States shall ensure that the competent authorities of the

Member State where a parent undertaking is established supervise the

effective implementation of the group-wide policies and procedures

referred to in Article 45(1). For that purpose, Member States shall

ensure that the competent authorities of the Member State where

credit and financial institutions that are part of the group are established

cooperate with the competent authorities of the Member State where the

parent undertaking is established.

▼B

6.

Member States shall ensure that when applying a risk-based

approach to supervision, the competent authorities:

(a) have a clear understanding of the risks of money laundering and

terrorist financing present in their Member State;

02015L0849 — EN — 30.12.2024 — 004.001 — 52

▼B

(b) have on-site and off-site access to all relevant information on the

specific domestic and international risks associated with customers,

products and services of the obliged entities; and

(c) base the frequency and intensity of on-site and off-site supervision

on the risk profile of obliged entities, and on the risks of money

laundering and terrorist financing in that Member State.

7.

The assessment of the money laundering and terrorist financing

risk profile of obliged entities, including the risks of non-compliance,

shall be reviewed both periodically and when there are major events or

developments in their management and operations.

8.

Member States shall ensure that competent authorities take into

account the degree of discretion allowed to the obliged entity, and

appropriately review the risk assessments underlying this discretion,

and the adequacy and implementation of its internal policies, controls

and procedures.

9.

In the case of the obliged entities referred to in point (3)(a), (b)

and (d) of Article 2(1), Member States may allow the functions referred

to in paragraph 1 of this Article to be performed by self-regulatory

bodies, provided that those self-regulatory bodies comply with

paragraph 2 of this Article.

10.

►M2 By 26 June 2017, the ESAs shall issue guidelines,

addressed to competent authorities, in accordance with Article 16 of

Regulation (EU) No 1093/2010, on the characteristics of a risk-based

approach to supervision and the steps to be taken when conducting

supervision on a risk-based basis. From 1 January 2020, EBA shall,

where appropriate, issue such guidelines. ◄ Specific account shall be

taken of the nature and size of the business, and, where appropriate and

proportionate, specific measures shall be laid down.

SECTION 3

Cooperation

S u b s e c t i o n I

N a t i o n a l c o o p e r a t i o n

▼M1

Article 49

Member States shall ensure that policy makers, the FIUs, supervisors

and other competent authorities involved in AML/CFT, as well as tax

authorities and law enforcement authorities when acting within the

scope of this Directive, have effective mechanisms to enable them to

cooperate and coordinate domestically concerning the development and

implementation of policies and activities to combat money laundering

and terrorist financing, including with a view to fulfilling their obli-

gation under Article 7.

02015L0849 — EN — 30.12.2024 — 004.001 — 53

▼B

S u b s e c t i o n I I

▼M2

C o o p e r a t i o n w i t h E B A

Article 50

The competent authorities shall provide EBA with all the information

necessary to allow it to carry out its duties under this Directive.

▼M1

S u b s e c t i o n I I a

C o o p e r a t i o n b e t w e e n c o m p e t e n t a u t h o r i t i e s o f

t h e M e m b e r S t a t e s

Article 50a

Member States shall not prohibit or place unreasonable or unduly

restrictive conditions on the exchange of information or assistance

between competent authorities for the purposes of this Directive. In

particular Member States shall ensure that competent authorities do

not refuse a request for assistance on the grounds that:

(a) the request is also considered to involve tax matters;

(b) national law requires obliged entities to maintain secrecy or confi-

dentiality, except in those cases where the relevant information that

is sought is protected by legal privilege or where legal professional

secrecy applies, as described in Article 34(2);

(c) there is an inquiry, investigation or proceeding underway in the

requested Member State, unless the assistance would impede that

inquiry, investigation or proceeding;

(d) the nature or status of the requesting counterpart competent

authority is different from that of requested competent authority.

▼B

S u b s e c t i o n I I I

C o o p e r a t i o n

b e t w e e n

F I U s

a n d

w i t h

t h e

C o m m i s s i o n

Article 51

The Commission may lend such assistance as may be needed to

facilitate coordination, including the exchange of information between

FIUs within the Union. It may regularly convene meetings of the EU

FIUs' Platform composed of representatives from Member States' FIUs,

in order to facilitate cooperation among FIUs, exchange views and

provide advice on implementation issues relevant for FIUs and

reporting entities as well as on cooperation-related issues such as

effective FIU cooperation, the identification of suspicious transactions

with a cross-border dimension, the standardisation of reporting formats

through the FIU.net or its successor, the joint analysis of cross-border

cases, and the identification of trends and factors relevant to assessing

the risks of money laundering and terrorist financing at national and

supranational level.

02015L0849 — EN — 30.12.2024 — 004.001 — 54

▼B

Article 52

Member States shall ensure that FIUs cooperate with each other to the

greatest extent possible, regardless of their organisational status.

Article 53

▼M1

1.

Member States shall ensure that FIUs exchange, spontaneously or

upon request, any information that may be relevant for the processing or

analysis of information by the FIU related to money laundering or

terrorist financing and the natural or legal person involved, regardless

of the type of associated predicate offences and even if the type of

associated predicate offences is not identified at the time of the

exchange.

▼B

A request shall contain the relevant facts, background information,

reasons for the request and how the information sought will be used.

Different exchange mechanisms may apply if so agreed between the

FIUs, in particular as regards exchanges through the FIU.net or its

successor.

When an FIU receives a report pursuant to point (a) of the first sub-

paragraph of Article 33(1) which concerns another Member State, it

shall promptly forward it to the FIU of that Member State.

2.

Member States shall ensure that the FIU to whom the request is

made is required to use the whole range of its available powers which it

would normally use domestically for receiving and analysing

information when it replies to a request for information referred to in

paragraph 1 from another FIU. The FIU to whom the request is made

shall respond in a timely manner.

When an FIU seeks to obtain additional information from an obliged

entity established in another Member State which operates on its

territory, the request shall be addressed to the FIU of the Member

State in whose territory the obliged entity is established. ►M1 That

FIU shall obtain information in accordance with Article 33(1) and

transfer the answers promptly. ◄

3.

An FIU may refuse to exchange information only in exceptional

circumstances where the exchange could be contrary to fundamental

principles of its national law. Those exceptions shall be specified in a

way which prevents misuse of, and undue limitations on, the free

exchange of information for analytical purposes.

Article 54

Information and documents received pursuant to Articles 52 and 53

shall be used for the accomplishment of the FIU's tasks as laid down

in this Directive. When exchanging information and documents pursuant

to Articles 52 and 53, the transmitting FIU may impose restrictions and

conditions for the use of that information. The receiving FIU shall

comply with those restrictions and conditions.

02015L0849 — EN — 30.12.2024 — 004.001 — 55

▼M1

Member States shall ensure that FIUs designate at least one contact

person or point to be responsible for receiving requests for information

from FIUs in other Member States.

▼B

Article 55

1.

Member States shall ensure that the information exchanged

pursuant to Articles 52 and 53 is used only for the purpose for which

it was sought or provided and that any dissemination of that information

by the receiving FIU to any other authority, agency or department, or

any use of this information for purposes beyond those originally

approved, is made subject to the prior consent by the FIU providing

the information.

▼M1

2.

Member States shall ensure that the requested FIU’s prior consent

to disseminate the information to competent authorities is granted

promptly and to the largest extent possible, regardless of the type of

associated predicate offences. The requested FIU shall not refuse its

consent to such dissemination unless this would fall beyond the scope

of application of its AML/CFT provisions or could lead to impairment

of an investigation, or would otherwise not be in accordance with

fundamental principles of national law of that Member State. Any

such refusal to grant consent shall be appropriately explained. Those

exceptions shall be specified in a way which prevents misuse of, and

undue limitations to, the dissemination of information to competent

authorities.

▼B

Article 56

1.

Member States shall require their FIUs to use protected channels

of communication between themselves and encourage the use of the

FIU.net or its successor.

2.

Member States shall ensure that, in order to fulfil their tasks as

laid down in this Directive, their FIUs cooperate in the application of

state-of-the-art technologies in accordance with their national law. Those

technologies shall allow FIUs to match their data with that of other

FIUs in an anonymous way by ensuring full protection of personal

data with the aim of detecting subjects of the FIU's interests in other

Member States and identifying their proceeds and funds.

▼M1

Article 57

Differences between national law definitions of predicate offences as

referred to in point 4 of Article 3 shall not impede the ability of FIUs to

provide assistance to another FIU and shall not limit the exchange,

dissemination and the use of information pursuant to Articles 53, 54

and 55.

02015L0849 — EN — 30.12.2024 — 004.001 — 56

▼M1

S u b s e c t i o n I I I a

b e t w e e n c o m p e t e n t

C o o p e r a t i o n

a u t h o r i t i e s

s u p e r v i s i n g c r e d i t a n d f i n a n c i a l i n s t i t u t i o n s

a n d o t h e r a u t h o r i t i e s b o u n d b y p r o f e s s i o n a l

s e c r e c y

Article 57a

1.

Member States shall require that all persons working for or who

have worked for competent authorities supervising credit and financial

institutions for compliance with this Directive and auditors or experts

acting on behalf of such competent authorities shall be bound by the

obligation of professional secrecy.

Without prejudice to cases covered by criminal law, confidential

information which the persons referred to in the first subparagraph

receive in the course of their duties under this Directive may be

disclosed only in summary or aggregate form, in such a way that

individual credit and financial institutions cannot be identified.

2.

Paragraph 1 shall not prevent the exchange of information

between:

(a) competent authorities supervising credit and financial institutions

within a Member State in accordance with this Directive or other

legislative acts relating to the supervision of credit and financial

institutions;

(b) competent authorities supervising credit and financial institutions in

different Member States in accordance with this Directive or other

legislative acts relating to the supervision of credit and financial

institutions, including the European Central Bank (ECB) acting in

accordance with Council Regulation (EU) No 1024/2013 (¹). That

exchange of information shall be subject to the conditions of profes-

sional secrecy indicated in paragraph 1.

By 10 January 2019, the competent authorities supervising credit and

financial institutions in accordance with this Directive and the ECB,

acting pursuant to Article 27(2) of Regulation (EU) No 1024/2013

and point (g) of the first subparagraph of Article 56 of Directive

2013/36/EU of the European Parliament and of the Council (²), shall

conclude, with the support of the European Supervisory Authorities, an

agreement on the practical modalities for exchange of information.

(¹) Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring

specific tasks on the European Central Bank concerning policies relating to

the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

(²) Directive 2013/36/EU of the European Parliament and of the Council of

26 June 2013 on access to the activity of credit institutions and the prudential

supervision of credit institutions and investment firms, amending Directive

2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176,

27.6.2013, p. 338).

02015L0849 — EN — 30.12.2024 — 004.001 — 57

▼M1

3.

Competent authorities supervising credit and financial institutions

receiving confidential information as referred to in paragraph 1, shall

only use this information:

(a) in the discharge of their duties under this Directive or under other

legislative acts in the field of AML/CFT, of prudential regulation

and of supervising credit and financial institutions, including

sanctioning;

(b) in an appeal against a decision of the competent authority super-

vising credit and financial institutions, including court proceedings;

(c) in court proceedings initiated pursuant to special provisions

provided for in Union law adopted in the field of this Directive

or in the field of prudential regulation and supervision of credit and

financial institutions.

4.

Member States shall ensure that competent authorities supervising

credit and financial institutions cooperate with each other for the

purposes of this Directive to the greatest extent possible, regardless of

their respective nature or status. Such cooperation also includes the

ability to conduct, within the powers of the requested competent

authority, inquiries on behalf of a requesting competent authority, and

the subsequent exchange of the information obtained through such

inquiries.

5.

Member States may authorise their national competent authorities

which supervise credit and financial institutions to conclude cooperation

agreements providing for collaboration and exchanges of confidential

information with the competent authorities of third countries that

constitute counterparts of those national competent authorities. Such

cooperation agreements shall be concluded on the basis of reciprocity

and only if the information disclosed is subject to a guarantee of profes-

sional secrecy requirements at least equivalent to that referred to in

paragraph 1. Confidential information exchanged according to those

cooperation agreements shall be used for the purpose of performing

the supervisory task of those authorities.

Where the information exchanged originates in another Member State, it

shall only be disclosed with the explicit consent of the competent

authority which shared it and, where appropriate, solely for the

purposes for which that authority gave its consent.

Article 57b

1.

Notwithstanding Article 57a(1) and (3) and without prejudice to

Article 34(2), Member States may authorise the exchange of information

between competent authorities in the same Member State or in different

Member States, between the competent authorities and authorities

entrusted with the supervision of financial sector entities and natural

or legal persons acting in the exercise of their professional activities

as referred to in point (3) of Article 2(1) and the authorities responsible

by law for the supervision of financial markets in the discharge of their

respective supervisory functions.

02015L0849 — EN — 30.12.2024 — 004.001 — 58

▼M1

The information received shall in any event be subject to professional

secrecy requirements at least equivalent to those referred to in

Article 57a(1).

2.

Notwithstanding Article 57a(1) and (3), Member States may, by

virtue of provisions laid down in national law, authorise the disclosure

of certain information to other national authorities responsible by law

for the supervision of the financial markets, or with designated respon-

sibilities in the field of combating or investigation of money laundering,

the associated predicate offences or terrorist financing.

However, confidential information exchanged according to this

paragraph shall only be used for the purpose of performing the legal

tasks of the authorities concerned. Persons having access to such

information shall be subject to professional secrecy requirements at

least equivalent to those referred to in Article 57a(1).

3.

Member States may authorise the disclosure of certain information

relating to the supervision of credit institutions for compliance with this

Directive to Parliamentary inquiry committees, courts of auditors and

other entities in charge of enquiries, in their Member State, under the

following conditions:

(a) the entities have a precise mandate under national law to investigate

or scrutinise the actions of authorities responsible for the super-

vision of those credit institutions or for laws on such supervision;

(b) the information is strictly necessary for fulfilling the mandate

referred to in point (a);

(c) the persons with access to the information are subject to profes-

sional secrecy requirements under national law at least equivalent to

those referred to in Article 57a(1);

(d) where the information originates in another Member State, it shall

not be disclosed without the express consent of the competent auth-

orities which have disclosed it and, solely for the purposes for

which those authorities gave their consent.

▼B

SECTION 4

Sanctions

Article 58

1.

Member States shall ensure that obliged entities can be held liable

for breaches of national provisions transposing this Directive in

accordance with this Article and Articles 59 to 61. Any resulting

sanction or measure shall be effective, proportionate and dissuasive.

2.

Without prejudice to the right of Member States to provide for and

impose criminal sanctions, Member States shall lay down rules on

administrative sanctions and measures and ensure that their competent

authorities may impose such sanctions and measures with respect to

breaches of the national provisions transposing this Directive, and

shall ensure that they are applied.

02015L0849 — EN — 30.12.2024 — 004.001 — 59

▼B

Member States may decide not to lay down rules for administrative

sanctions or measures for breaches which are subject to criminal

sanctions in their national law. In that case, Member States shall

communicate to the Commission the relevant criminal law provisions.

▼M1

Member States shall further ensure that where their competent auth-

orities identify breaches which are subject to criminal sanctions, they

inform the law enforcement authorities in a timely manner.

▼B

3.

Member States shall ensure that where obligations apply to legal

persons in the event of a breach of national provisions transposing this

Directive, sanctions and measures can be applied to the members of the

management body and to other natural persons who under national law

are responsible for the breach.

4.

Member States shall ensure that the competent authorities have all

the supervisory and investigatory powers that are necessary for the

exercise of their functions.

5.

Competent authorities shall exercise their powers to impose

administrative sanctions and measures in accordance with this Directive,

and with national law, in any of the following ways:

(a) directly;

(b) in collaboration with other authorities;

(c) under their responsibility by delegation to such other authorities;

(d) by application to the competent judicial authorities.

In the exercise of their powers to impose administrative sanctions and

measures, competent authorities shall cooperate closely in order to

ensure that those administrative sanctions or measures produce the

desired results and coordinate their action when dealing with

cross-border cases.

Article 59

1.

Member States shall ensure that this Article applies at least to

breaches on the part of obliged entities that are serious, repeated,

systematic, or a combination thereof, of the requirements laid down in:

(a) Articles 10 to 24 (customer due diligence);

(b) Articles 33, 34 and 35 (suspicious transaction reporting);

(c) Article 40 (record-keeping); and

(d) Articles 45 and 46 (internal controls).

2.

Member States shall ensure that in the cases referred to in

paragraph 1, the administrative sanctions and measures that can be

applied include at least the following:

(a) a public statement which identifies the natural or legal person and

the nature of the breach;

(b) an order requiring the natural or legal person to cease the conduct

and to desist from repetition of that conduct;

02015L0849 — EN — 30.12.2024 — 004.001 — 60

▼B

(c) where an obliged entity is subject to an authorisation, withdrawal or

suspension of the authorisation;

(d) a temporary ban against any person discharging managerial respon-

sibilities in an obliged entity, or any other natural person, held

responsible for the breach, from exercising managerial functions

in obliged entities;

(e) maximum administrative pecuniary sanctions of at least twice the

amount of the benefit derived from the breach where that benefit

can be determined, or at least EUR 1 000 000.

3.

Member States shall ensure that, by way of derogation from

paragraph 2(e), where the obliged entity concerned is a credit institution

or financial institution, the following sanctions can also be applied:

(a) in the case of a legal person, maximum administrative pecuniary

sanctions of at least EUR 5 000 000 or 10 % of the total annual

turnover according to the latest available accounts approved by the

management body; where the obliged entity is a parent undertaking

or a subsidiary of a parent undertaking which is required to prepare

consolidated financial accounts in accordance with Article 22 of

Directive 2013/34/EU, the relevant total annual turnover shall be

the total annual turnover or the corresponding type of income in

accordance with the relevant accounting Directives according to the

last available consolidated accounts approved by the management

body of the ultimate parent undertaking;

(b) in the case of a natural person, maximum administrative pecuniary

sanctions of at least EUR 5 000 000, or in the Member States whose

currency is not the euro, the corresponding value in the national

currency on 25 June 2015.

4.

Member States may empower competent authorities to impose

additional types of administrative sanctions in addition to those

referred to in points (a) to (d) of paragraph 2 or to impose administra-

tive pecuniary sanctions exceeding the amounts referred to in point (e)

of paragraph 2 and in paragraph 3.

Article 60

1.

Member States shall ensure that a decision imposing an adminis-

trative sanction or measure for breach of the national provisions trans-

posing this Directive against which there is no appeal shall be published

by the competent authorities on their official website immediately after

the person sanctioned is informed of that decision. The publication shall

include at least information on the type and nature of the breach and the

identity of the persons responsible. Member States shall not be obliged

to apply this subparagraph to decisions imposing measures that are of an

investigatory nature.

Where the publication of the identity of the persons responsible as

referred to in the first subparagraph or the personal data of such

persons is considered by the competent authority to be disproportionate

following a case-by-case assessment conducted on the proportionality of

the publication of such data, or where publication jeopardises the

stability of financial markets or an on-going investigation, competent

authorities shall:

02015L0849 — EN — 30.12.2024 — 004.001 — 61

▼B

(a) delay the publication of the decision to impose an administrative

sanction or measure until the moment at which the reasons for not

publishing it cease to exist;

(b) publish the decision to impose an administrative sanction or

measure on an anonymous basis in a manner in accordance with

national law, if such anonymous publication ensures an effective

protection of the personal data concerned; in the case of a

decision to publish an administrative sanction or measure on an

anonymous basis, the publication of the relevant data may be

postponed for a reasonable period of time if it is foreseen that

within that period the reasons for anonymous publication shall

cease to exist;

(c) not publish the decision to impose an administrative sanction or

measure at all in the event that the options set out in points (a)

and (b) are considered insufficient to ensure:

(i) that the stability of financial markets would not be put in

jeopardy; or

(ii) the proportionality of the publication of the decision with regard

to measures which are deemed to be of a minor nature.

2.

Where Member States permit publication of decisions against

which there is an appeal, competent authorities shall also publish,

immediately, on their official website such information and any

subsequent information on the outcome of such appeal. Moreover,

any decision annulling a previous decision to impose an administrative

sanction or a measure shall also be published.

3.

Competent authorities shall ensure that any publication in

accordance with this Article shall remain on their official website for

a period of five years after its publication. However, personal data

contained in the publication shall only be kept on the official website

of the competent authority for the period which is necessary in

accordance with the applicable data protection rules.

4.

Member States shall ensure that when determining the type and

level of administrative sanctions or measures, the competent authorities

shall take into account all relevant circumstances, including where

applicable:

(a) the gravity and the duration of the breach;

(b) the degree of responsibility of the natural or legal person held

responsible;

(c) the financial strength of the natural or legal person held responsible,

as indicated for example by the total turnover of the legal person

held responsible or the annual income of the natural person held

responsible;

(d) the benefit derived from the breach by the natural or legal person

held responsible, insofar as it can be determined;

(e) the losses to third parties caused by the breach, insofar as they can

be determined;

(f) the level of cooperation of the natural or legal person held

responsible with the competent authority;

(g) previous breaches by the natural or legal person held responsible.

02015L0849 — EN — 30.12.2024 — 004.001 — 62

▼B

5.

Member States shall ensure that legal persons can be held liable

for the breaches referred to in Article 59(1) committed for their benefit

by any person, acting individually or as part of an organ of that legal

person, and having a leading position within the legal person based on

any of the following:

(a) power to represent the legal person;

(b) authority to take decisions on behalf of the legal person; or

(c) authority to exercise control within the legal person.

6.

Member States shall also ensure that legal persons can be held

liable where the lack of supervision or control by a person referred to in

paragraph 5 of this Article has made it possible to commit one of the

breaches referred to in Article 59(1) for the benefit of that legal person

by a person under its authority.

Article 61

▼M1

1.

Member States shall ensure that competent authorities, as well as,

where applicable, self-regulatory bodies, establish effective and reliable

mechanisms to encourage the reporting to competent authorities, as well

as, where applicable self-regulatory bodies, of potential or actual

breaches of the national provisions transposing this Directive.

For that purpose, they shall provide one or more secure communication

channels for persons for the reporting referred to in the first

subparagraph. Such channels shall ensure that the identity of persons

providing information is known only to the competent authorities, as

well as, where applicable, self-regulatory bodies.

▼B

2.

The mechanisms referred to in paragraph 1 shall include at least:

(a) specific procedures for the receipt of reports on breaches and their

follow-up;

(b) appropriate protection for employees or persons in a comparable

position, of obliged entities who report breaches committed within

the obliged entity;

(c) appropriate protection for the accused person;

(d) protection of personal data concerning both the person who reports

the breaches and the natural person who is allegedly responsible for

a breach, in compliance with the principles laid down in Directive

95/46/EC;

(e) clear rules that ensure that confidentiality is guaranteed in all cases

in relation to the person who reports the breaches committed within

the obliged entity, unless disclosure is required by national law in

the context of further investigations or subsequent judicial

proceedings.

02015L0849 — EN — 30.12.2024 — 004.001 — 63

▼B

3.

Member States shall require obliged entities to have in place

appropriate procedures for their employees, or persons in a comparable

position, to report breaches internally through a specific, independent

and anonymous channel, proportionate to the nature and size of the

obliged entity concerned.

▼M1

Member States shall ensure that individuals, including employees and

representatives of the obliged entity who report suspicions of money

laundering or terrorist financing internally or to the FIU, are legally

protected from being exposed to threats, retaliatory or hostile action,

and in particular from adverse or discriminatory employment actions.

Member States shall ensure that individuals who are exposed to threats,

hostile actions, or adverse or discriminatory employment actions for

reporting suspicions of money laundering or terrorist financing

internally or to the FIU are entitled to present a complaint in a safe

manner to the respective competent authorities. Without prejudice to the

confidentiality of information gathered by the FIU, Member States shall

also ensure that such individuals have the right to effective remedy to

safeguard their rights under this paragraph.

▼B

Article 62

▼M2

1.

Member States shall ensure that their competent authorities inform

EBA of all administrative sanctions and measures imposed in

accordance with Articles 58 and 59 on credit institutions and financial

institutions, including of any appeal in relation thereto and the outcome

thereof.

▼B

2.

Member States shall ensure that their competent authorities, in

accordance with their national law, check the existence of a relevant

conviction in the criminal record of the person concerned. Any

exchange of information for those purposes shall be carried out in

accordance with Decision 2009/316/JHA and Framework Decision

2009/315/JHA as implemented in national law.

▼M2

3.

EBA shall maintain a website with links to each competent

authority’s publication of administrative sanctions and measures

imposed in accordance with Article 60 on credit institutions and

financial institutions, and shall show the time period for which each

Member State publishes administrative sanctions and measures.

▼B

CHAPTER VII

FINAL PROVISIONS

Article 63

Point (d) of paragraph 2 of Article 25 of Regulation (EU) No 648/2012

of the European Parliament and the Council (¹) is replaced by the

following:

(¹) Regulation (EU) No 648/2012 of the European Parliament and of the Council

of 4 July 2012 on OTC derivatives, central counterparties and trade reposi-

tories (OJ L 201, 27.7.2012, p. 1).

02015L0849 — EN — 30.12.2024 — 004.001 — 64

▼B

‘(d) the CCP is established or authorised in a third country that is

not considered, by the Commission in accordance with

Directive (EU) 2015/849 of the European Parliament and of

the Council (*), as having strategic deficiencies in its national

anti-money laundering and counter financing of terrorism

regime that poses significant threats to the financial system

of the Union.

___________

(*) Directive (EU) 2015/849 of the European Parliament and of the

Council of 20 May 2015 on the prevention of the use of the

financial system for the purpose of money laundering or

terrorist financing, amending Regulation (EU) No 648/2012 of

the European Parliament and of the Council, and repealing

Directive 2005/60/EC of the European Parliament and of the

Council and Commission Directive 2006/70/EC (OJ L 141,

5.6.2015, p. 73).’.

Article 64

1.

The power to adopt delegated acts is conferred on the Commission

subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 9 shall be

conferred on the Commission for an indeterminate period of time from

25 June 2015.

3.

The power to adopt delegated acts referred to in Article 9 may be

revoked at any time by the European Parliament or by the Council. A

decision to revoke shall put an end to the delegation of the power

specified in that decision. It shall take effect on the day following the

publication of the decision in the Official Journal of the European

Union or at a later date specified therein. It shall not affect the

validity of any delegated acts already in force.

4.

As soon as it adopts a delegated act, the Commission shall notify

it simultaneously to the European Parliament and to the Council.

5.

A delegated act adopted pursuant to Article 9 shall enter into force

only if no objection has been expressed either by the European

Parliament or the Council within a period of one month of notification

of that act to the European Parliament and the Council or if, before the

expiry of that period, the European Parliament and the Council have

both informed the Commission that they will not object. That period

shall be extended by one month at the initiative of the European

Parliament or of the Council.

▼M1

Article 64a

1.

The Commission shall be assisted by the Committee on the

Prevention of Money Laundering and Terrorist Financing (the

‘Committee’) as referred to in Article 23 of Regulation (EU)

2015/847 of the European Parliament and of the Council (¹). That

committee shall be

a

committee within the meaning of

Regulation (EU) No 182/2011 (²).

(¹) Regulation (EU) 2015/847 of the European Parliament and of the Council of

20 May 2015 on information accompanying transfers of funds and repealing

Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).

(²) Regulation (EU) No 182/2011 of the European Parliament and of the Council

of 16 February 2011 laying down the rules and general principles concerning

mechanisms for control by the Member States of the Commission’s exercise

of implementing powers (OJ L 55, 28.2.2011, p. 13).

02015L0849 — EN — 30.12.2024 — 004.001 — 65

▼M1

2.

Where reference is made to this paragraph, Article 5 of Regu-

lation (EU) No 182/2011 shall apply.

Article 65

By 11 January 2022, and every three years thereafter, the

1.

Commission shall draw up a report on the implementation of this

Directive and submit it to the European Parliament and to the Council.

That report shall include in particular:

(a) an account of specific measures adopted and mechanisms set up at

Union and Member State level to prevent and address emerging

problems and new developments presenting a threat to the Union

financial system;

(b) follow-up actions undertaken at Union and Member State level on

the basis of concerns brought to their attention, including

complaints relating to national laws hampering the supervisory

and investigative powers of competent authorities and

self-regulatory bodies;

(c) an account of the availability of relevant information for the

competent authorities and FIUs of the Member States, for the

prevention of the use of the financial system for the purposes of

money laundering and terrorist financing;

(d) an account of the international cooperation and information

exchange between competent authorities and FIUs;

(e) an account of necessary Commission actions to verify that Member

States take action in compliance with this Directive and to assess

emerging problems and new developments in the Member States;

(f) an analysis of feasibility of specific measures and mechanisms at

Union and Member State level on the possibilities to collect and

access the beneficial ownership information of corporate and other

legal entities incorporated outside of the Union and of the propor-

tionality of the measures referred to in point (b) of Article 20;

(g) an evaluation of how fundamental rights and principles recognised

by the Charter of Fundamental Rights of the European Union have

been respected.

The first report, to be published by 11 January 2022, shall be accom-

panied, if necessary, by appropriate legislative proposals, including,

where appropriate, with respect to virtual currencies, empowerments

to set-up and maintain a central database registering users’ identities

and wallet addresses accessible to FIUs, as well as self-declaration

forms for the use of virtual currency users, and to improve cooperation

between Asset Recovery Offices of the Member States and a risk-based

application of the measures referred to in point (b) of Article 20.

02015L0849 — EN — 30.12.2024 — 004.001 — 66

▼M1

2.

By 1 June 2019, the Commission shall assess the framework for

FIUs’ cooperation with third countries and obstacles and opportunities

to enhance cooperation between FIUs in the Union including the possi-

bility of establishing a coordination and support mechanism.

3.

The Commission shall, if appropriate, issue a report to the

European Parliament and to Council to assess the need and propor-

tionality of lowering the percentage for the identification of beneficial

ownership of legal entities in light of any recommendation issued in this

sense by international organisations and standard setters with

competence in the field of preventing money laundering and

combating terrorist financing as a result of a new assessment, and

present a legislative proposal, if appropriate.

▼B

Article 66

Directives 2005/60/EC and 2006/70/EC are repealed with effect from

26 June 2017.

References to the repealed Directives shall be construed as references to

this Directive and shall be read in accordance with the correlation table

set out in Annex IV.

Article 67

▼M1

1.

Member States shall bring into force the laws, regulations and

administrative provisions necessary to comply with this Directive by

26 June 2017.

Member States shall apply Article 12(3) as of 10 July 2020.

Member States shall set up the registers referred to in Article 30 by

10 January 2020 and the registers referred to in Article 31 by 10 March

2020 and the centralised automated mechanisms referred to in

Article 32a by 10 September 2020.

The Commission shall ensure the interconnection of registers referred to

in Articles 30 and 31 in cooperation with the Member States by

10 March 2021.

Member States shall immediately communicate the text of the measures

referred to in this paragraph to the Commission.

When Member States adopt those measures, they shall contain a

reference to this Directive or be accompanied by such a reference on

the occasion of their official publication. The methods of making such

reference shall be laid down by Member States.

▼B

2.

Member States shall communicate to the Commission the text of

the main provisions of national law which they adopt in the field

covered by this Directive.

▼M3

3.

Member States shall adopt and publish, by 30 December 2024, the

laws, regulations and administrative provisions necessary to comply

with Article 2(1), point 3, Article 3, point (2)(g), Article 3, points

(8), (18), (19) and (20), Article 19a(1), Article 19b(1) and (2),

Article 45(9) and Article 47(1). They shall immediately communicate

the text of those measures to the Commission.

They shall apply those measures from 30 December 2024.

02015L0849 — EN — 30.12.2024 — 004.001 — 67

▼B

Article 68

This Directive shall enter into force on the twentieth day following that

of its publication in the Official Journal of the European Union.

Article 69

This Directive is addressed to the Member States.

02015L0849 — EN — 30.12.2024 — 004.001 — 68

▼B

ANNEX I

The following is a non-exhaustive list of risk variables that obliged entities shall

consider when determining to what extent to apply customer due diligence

measures in accordance with Article 13(3):

(i) the purpose of an account or relationship;

(ii) the level of assets to be deposited by a customer or the size of transactions

undertaken;

(iii) the regularity or duration of the business relationship.

02015L0849 — EN — 30.12.2024 — 004.001 — 69

▼B

ANNEX II

The following is a non-exhaustive list of factors and types of evidence of

potentially lower risk referred to in Article 16:

(1) Customer risk factors:

(a) public companies listed on a stock exchange and subject to disclosure

requirements (either by stock exchange rules or through law or

enforceable means), which impose requirements to ensure adequate trans-

parency of beneficial ownership;

(b) public administrations or enterprises;

(c) customers that are resident in geographical areas of lower risk as set out

in point (3);

(2) Product, service, transaction or delivery channel risk factors:

(a) life insurance policies for which the premium is low;

(b) insurance policies for pension schemes if there is no early surrender

option and the policy cannot be used as collateral;

(c) a pension, superannuation or similar scheme that provides retirement

benefits to employees, where contributions are made by way of

deduction from wages, and the scheme rules do not permit the

assignment of a member's interest under the scheme;

(d) financial products or services that provide appropriately defined and

limited services to certain types of customers, so as to increase access

for financial inclusion purposes;

(e) products where the risks of money laundering and terrorist financing are

managed by other factors such as purse limits or transparency of

ownership (e.g. certain types of electronic money);

▼M1

(3) Geographical risk factors — registration, establishment, residence in:

▼B

(a) Member States;

(b) third countries having effective AML/CFT systems;

(c) third countries identified by credible sources as having a low level of

corruption or other criminal activity;

(d) third countries which, on the basis of credible sources such as mutual

evaluations, detailed assessment reports or published follow-up reports,

have requirements to combat money laundering and terrorist financing

consistent with the revised FATF Recommendations and effectively

implement those requirements.

02015L0849 — EN — 30.12.2024 — 004.001 — 70

▼B

ANNEX III

The following is a non-exhaustive list of factors and types of evidence of

potentially higher risk referred to in Article 18(3):

(1) Customer risk factors:

(a) the business relationship is conducted in unusual circumstances;

(b) customers that are resident in geographical areas of higher risk as set out

in point (3);

(c) legal persons or arrangements that are personal asset-holding vehicles;

(d) companies that have nominee shareholders or shares in bearer form;

(e) businesses that are cash-intensive;

(f) the ownership structure of the company appears unusual or excessively

complex given the nature of the company's business;

▼M1

(g) customer is a third country national who applies for residence rights or

citizenship in the Member State in exchange of capital transfers, purchase

of property or government bonds, or investment in corporate entities in

that Member State.

▼B

(2) Product, service, transaction or delivery channel risk factors:

(a) private banking;

(b) products or transactions that might favour anonymity;

▼M1

(c) non-face-to-face business relationships or transactions, without certain

safeguards, such as electronic identification means, relevant trust

services as defined in Regulation (EU) No 910/2014 or any other

secure, remote or electronic, identification process regulated, recognised,

approved or accepted by the relevant national authorities;

▼B

(d) payment received from unknown or unassociated third parties;

(e) new products and new business practices, including new delivery

mechanism, and the use of new or developing technologies for both

new and pre-existing products;

▼M1

(f) transactions related to oil, arms, precious metals, tobacco products, cultural

artefacts and other items of archaeological, historical, cultural and religious

importance, or of rare scientific value, as well as ivory and protected species.

▼B

(3) Geographical risk factors:

(a) without prejudice to Article 9, countries identified by credible sources,

such as mutual evaluations, detailed assessment reports or published

follow-up reports, as not having effective AML/CFT systems;

(b) countries identified by credible sources as having significant levels of

corruption or other criminal activity;

(c) countries subject to sanctions, embargos or similar measures issued by,

for example, the Union or the United Nations;

(d) countries providing funding or support for terrorist activities, or that have

designated terrorist organisations operating within their country.

02015L0849 — EN — 30.12.2024 — 004.001 — 71

▼B

ANNEX IV

Correlation table

This Directive

Directive 2005/60/EC

Directive 2006/70/EC

—

Article 1

Article 3

Article 5

Article 6

Article 7

—

Article 1

Article 2

Article 1

Article 2

Article 2(3) to (9)

Article 3

Article 4

Article 3

Article 3(9), (10) and (11)

Article 4

Article 2(1), (2) and (3)

Article 4

Article 5

—

Article 5

Articles 6 to 8

Article 10

Article 11

Article 13

Article 14

Article 11(d)

—

Article 6

Article 7

Article 8

Article 9

Article 10(1)

Article 10(2)

Article 11

Articles 15, 16 and 17

—

Article 12

Articles 18 to 24

Article 22

Article 25

—

Article 13

Article 2(4)

Article 14

Article 15

Article 16

Article 17

Article 18

—

Article 26

—

Article 27

Article 28

Article 29

Article 30

Article 31

—

Article 19

—

Article 20

02015L0849 — EN — 30.12.2024 — 004.001 — 72

▼B

This Directive

Directive 2005/60/EC

Directive 2006/70/EC

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

—

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

—

Article 40

Article 45

Article 42

Article 44

Article 45

Article 46

Article 47

Article 48

Article 49

Article 50

Article 51

Article 37a

Article 38

—

Articles 52 to 57

Articles 58 to 61

Article 39

Article 40

Article 41

Article 41a

Article 41b

Article 42

Article 43

Article 44

Article 45

Article 46

Article 47

—

Article 65

—

Article 66

Article 67

Article 68

Article 69