1/90

EN

OJ L, 19.6.2024

Parliament and of the Council (⁵) will form the legal framework governing the AML/CFT requirements to be met by

obliged entities and underpinning the Union’s AML/CFT institutional framework.

(5)

To bring AML/CFT supervision to an efficient and uniform level across the Union, it is necessary to provide the

Authority with the following powers: direct supervision of a certain number of selected obliged entities in the

financial sector, including crypto-asset service providers; monitoring, analysis and exchange of information

concerning ML/TF risks affecting the internal market; coordination and oversight of AML/CFT supervisors of the

financial sector; coordination and oversight of AML/CFT supervisors of the non-financial sector, including

self-regulatory bodies; and the coordination and support of FIUs.

(6)

Combining both direct and indirect supervisory competences in relation to obliged entities, and also providing

a support and coordination mechanism for FIUs, is the most appropriate means of bringing about AML/CFT

supervision and cooperation between FIUs at Union level. It is therefore necessary that the Authority combines

independence and a high level of technical expertise and is established in line with the Joint Statement and Common

Approach of the European Parliament, the Council of the European Union and the European Commission of 19 July

2012 on decentralised agencies.

(7)

The arrangements concerning the seat of the Authority should be laid down in a headquarters agreement between

the Authority and the Member State where its seat is located. The headquarters agreement should stipulate the

conditions of establishment of the seat and the advantages conferred by that Member State on the Authority and its

staff. The headquarters agreement should be concluded in a timely manner before the Authority begins its

operations.

(8)

When selecting the seat of the Authority, the European Parliament and the Council are to ensure that, given the

nature of the Authority, its location enables it to fully execute its tasks and powers, to recruit highly qualified and

specialised staff, to offer adequate training opportunities for AML/CFT activities, and, where relevant, to closely

cooperate with Union institutions, bodies, offices and agencies; and, in order to avoid reputational risks, the

European Parliament and the Council are to consider, based on publicly available, relevant and comparable

information, such as reports of the Financial Action Task Force (FATF), how ML/TF risks are adequately addressed in

the Member State where the seat will be located. In addition, the European Parliament and the Council are to take

into account the following criteria for the selection of the Authority’s seat: an assurance that the Authority can be set

up on site upon the entry into force of this Regulation; the accessibility of the location; the existence of adequate

education facilities for the children of staff members; appropriate access to the labour market, social security and

medical care for both children and spouses of staff members; and geographical balance. Considering those criteria,

the Authority should have its seat in Frankfurt am Main, Germany.

(9)

The powers of the Authority aim to allow it to improve AML/CFT supervision in the Union in various ways. With

respect to selected obliged entities, the Authority should ensure group-wide compliance with the requirements laid

down in the AML/CFT framework and any other legally binding Union acts that impose AML/CFT-related obligations

on financial institutions. With respect to financial supervisors, the Authority should in particular carry out periodic

reviews to ensure that all financial supervisors perform their tasks adequately. It should also investigate systematic

failures of supervision resulting from breaches, or the non-application or incorrect application, of Union law. With

respect to non-financial supervisors, including self-regulatory bodies where appropriate, the Authority should

coordinate peer reviews of supervisory standards and practices and request non-financial supervisors to ensure the

observance of AML/CFT requirements in their sphere of competence. The Authority should be able to act in cases of

potential breaches or non-application of Union law by non-financial supervisors and, where such breaches are not

rectified in line with the Authority’s recommendations, it should issue warnings to the affected counterparties of the

non-financial supervisors. The Authority should facilitate the functioning of the AML/CFT supervisory colleges in

(⁵)

Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by

Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing,

amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 (OJ L, 2024/1640, 19.6.2024,

ELI: http://data.europa.eu/eli/dir/2024/1640/oj).

2/90

EN

OJ L, 19.6.2024

both the financial and non-financial sectors. Overall, the Authority should contribute to the convergence of

supervisory practices and the promotion of high supervisory standards. In addition, the Authority should coordinate

and support the conduct of joint analyses by FIUs, or request the launch of joint analyses, and should make IT and

artificial intelligence services available to FIUs to enhance their data analysis capabilities, as well as tools for secure

information sharing, including through the hosting of FIU.net, the dedicated IT system allowing FIUs to cooperate

and exchange information with each other and, where appropriate, with their counterparts from third countries and

third parties.

(10) With a view to strengthening AML/CFT rules at Union level, enhancing the clarity of those rules while ensuring

consistency with international standards and other legislation, and increasing the efficiency of the implementation of

AML/CFT measures, including in the non-financial sector, it is necessary to establish the coordinating role of the

Authority at Union level in relation to obliged entities in both the financial and the non-financial sectors for the

purposes of assisting national supervisors and promoting supervisory convergence. Consequently, the Authority

should be mandated to prepare draft regulatory and implementing technical standards and to adopt guidelines,

recommendations and opinions with the aim of ensuring that, where supervision remains at national level, the same

supervisory practices and standards apply in principle to all comparable entities. In addition, the Authority should be

tasked with monitoring and measuring the degree of convergence and the consistent application of legal

requirements and high supervisory standards by supervisory authorities and obliged entities. The Authority should

be entrusted, due to its highly specialised expertise, with the development of a supervisory methodology in line with

a risk-based approach. Certain aspects of the methodology, which can incorporate harmonised quantitative

benchmarks, such as approaches for classifying the risk profile of obliged entities, including their inherent and

residual risk profiles, should be detailed in directly applicable binding regulatory measures — regulatory or

implementing technical standards — taking into account ML/TF risks in prudential supervision, in order to ensure

effective interaction between AML/CFT supervision and prudential supervision. Other aspects of the methodology,

which require wider supervisory discretion, such as approaches to assessing the internal controls of obliged entities,

should be covered by non-binding guidelines, recommendations and opinions of the Authority. The harmonised

supervisory methodology should take due account of and, where appropriate, leverage existing supervisory

methodologies relating to other aspects of supervision of obliged entities in the financial sector, especially where

there is interaction between AML/CFT supervision and prudential supervision. More specifically, the supervisory

methodology to be developed by the Authority should complement the guidelines and other instruments developed

by the European Supervisory Authority (European Banking Authority) (EBA) established by Regulation

(EU) No 1093/2010 of the European Parliament and of the Council (⁶) detailing the approaches of prudential

supervisory authorities with respect to taking into account ML/TF risks in prudential supervision, in order to ensure

effective interaction between AML/CFT supervision and prudential supervision. A harmonised supervisory

methodology would also enable the development of common supervisory tools for interactions with, and data

requests from, obliged entities across the entire supervisory system. The Authority should be able to coordinate the

development of such tools in the form of structured questionnaires, based online or offline, and integrated into

a single platform for interaction with obliged entities and among supervisors within the system. Such a platform

would not only facilitate supervisory processes and harmonised supervisory approaches, but also avoid duplicative

reporting requirements and the imposition of an excessive burden on obliged entities under supervision whether at

Union or at national level.

(11) The extension of money laundering’s predicate offences to include the non-implementation and evasion of targeted

financial sanctions requires the development of an understanding of threats and vulnerabilities in that area at the

level of obliged entities, supervisors and the Union. In carrying out its supervisory tasks in relation to selected

obliged entities, the Authority should therefore ensure that those entities have in place adequate systems to

implement requirements related to targeted financial sanctions. Similarly, given its central role in ensuring an

effective supervisory system across the internal market, the Authority should support supervisory convergence in

that area to ensure adequate oversight of the compliance of credit institutions and financial institutions with

requirements related to the implementation of targeted financial sanctions. The information collected through the

Authority’s supervisory and convergence tasks constitutes a resource for the Union’s understanding of risks in

relation to the non-implementation and evasion of targeted financial sanctions, and can contribute to the

(⁶)

Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European

Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision

2009/78/EC (OJ L 331, 15.12.2010, p. 12).

3/90

EN

OJ L, 19.6.2024

identification of effective mitigating measures. To that end, the Authority should contribute its experience and

knowledge to the development of a risk assessment at Union level in relation to the non-implementation and evasion

of targeted financial sanctions.

(12) The Authority should be entrusted with the development of draft regulatory technical standards in order to complete

the harmonised rulebook established in Regulation (EU) 2023/1113, Regulation (EU) 2024/1624 and Directive

(EU) 2024/1640. The Commission should be empowered to endorse draft regulatory technical standards by means

of delegated acts pursuant to Article 290 TFEU in order to give them binding legal effect.

(13) The Authority should be entrusted with the development of draft implementing technical standards where needed to

ensure uniform conditions for the implementation of this Regulation. The Commission should be empowered to

adopt implementing technical standards by means of implementing acts pursuant to Article 291 TFEU.

(14) The draft regulatory and implementing technical standards should be subject to amendment only in very restricted

and extraordinary circumstances, since the Authority is the actor in closest contact with, and with the best

knowledge of, the AML/CFT framework. To ensure a smooth and expeditious adoption process for those standards,

the Commission’s decision to endorse draft regulatory and implementing technical standards should be subject to

a time limit.

(15) In the process of developing draft regulatory and implementing technical standards and guidelines and

recommendations addressed to obliged entities, supervisors or FIUs, the Authority should as a rule conduct open

public consultations, unless those consultations and analyses are highly disproportionate to the scope and impact of

the measures concerned or to the particular urgency of the matter. The public consultations should be conducted in

order to analyse the potential related costs and benefits of the new measures and the requirements they are

introducing, and in order to make sure that all stakeholders, including other Union bodies whose area of competence

might be concerned, have had a chance to provide their input and advice. As the role of civil society, including

academia, investigative journalists, and non-governmental organisations, has proven paramount over the years in

identifying criminal patterns and how the Union AML/CFT framework can be strengthened to prevent criminal

misuse of the internal market, the Authority should pay particular attention to the input provided by civil society. It

should ensure appropriate engagement of civil society and active solicitations of its views during its policy-making

process.

(16) Since there are no sufficiently effective arrangements to handle AML/CFT incidents involving cross-border aspects, it

is necessary to put in place an integrated AML/CFT supervisory system at Union level that ensures consistent

high-quality application of the AML/CFT supervisory methodology and promotes efficient cooperation between all

relevant competent authorities. For those reasons, the Authority and the national AML/CFT supervisory authorities

should together constitute an AML/CFT supervisory system. The AML/CFT supervisory system should be based on

mutual trust and cooperation in good faith, including exchanges of information and data related to supervision, in

order to enable the Authority and supervisory authorities to carry out their tasks effectively. The AML/CFT

supervisory system would benefit supervisory authorities when faced with specific challenges, for example vis-à-vis

an enhanced ML/TF risk or due to a lack of resources, as within that system mutual assistance should be available on

request. That mutual assistance could also involve exchange and secondments of personnel, training activities and

exchanges of best practices. Furthermore, the Commission could provide technical support to Member States under

Regulation (EU) 2021/240 of the European Parliament and of the Council (⁷) to promote reforms aimed at

reinforcement of the fight against money laundering.

(17) Given the important role played by thematic reviews in AML/CFT supervision across the Union, since they enable the

level of exposure to risks in relation to obliged entities under supervision to be identified and compared, and given

that, at present, supervisors in different Member States do not benefit from those reviews, it is necessary that the

(⁷)

Regulation (EU) 2021/240 of the European Parliament and of the Council of 10 February 2021 establishing a Technical Support

Instrument (OJ L 57, 18.2.2021, p. 1).

4/90

EN

OJ L, 19.6.2024

Authority identifies national thematic reviews that have a similar scope and timeframe and ensures their

coordination at Union level. To avoid situations of possibly conflicting communications with supervised entities, the

coordination role of the Authority should be limited to interaction with the relevant supervisory authorities, and

should not include any direct interaction with non-selected obliged entities. For the same reason, the Authority

should explore the possibility of aligning or synchronising the timeframe of national thematic reviews and facilitate

any activities that the relevant supervisory authorities might wish to carry out, whether jointly or otherwise.

(18) Efficient usage of data leads to better monitoring and compliance of obliged entities. Therefore, both direct and

indirect supervision by the Authority and supervisory authorities of all obliged entities across the AML/CFT

supervisory system should rely on expeditious access to relevant data and information about the obliged entities

themselves and the supervisory actions and measures taken regarding them, subject to limited retention periods in

accordance with the applicable data protection framework. To that end, and taking into account the confidential and

sensitive nature of the information, the Authority should establish a central AML/CFT database with information

collected from all supervisory authorities, and should make such information available to any supervisory authority

and non-AML/CFT authority within the system where necessary, on a confidential and need-to-know basis. The

collected data should also cover the relevant aspects of the withdrawal of authorisation procedures and ‘fit and

proper’ assessments of shareholders or members of the management body of individual obliged entities as that

would enable supervisory authorities and non-AML/CFT authorities to duly consider possible shortcomings of

specific entities and individuals that might have materialised in other Member States. The database should also

include statistical information about supervisory authorities and FIUs. All collected data and information would

enable effective oversight by the Authority of the proper functioning and effectiveness of the AML/CFT supervisory

system. The information from the database would enable the Authority to react in a timely manner to potential

weaknesses and cases of non-compliance by non-selected obliged entities. In order to ensure that the database

contains all relevant information that is available across the AML/CFT supervisory system, supervisory authorities

should have the flexibility to submit other categories of data in addition to those directly envisaged by this

Regulation. In the same vein, the Authority, while managing the database and analysing the submitted data, would

be best placed to identify which additional data points or categories of data could be requested from supervisory

authorities to boost the effectiveness of the database. To assist in compiling, storing and using a coherent and

structured dataset, it is necessary to further specify the format, procedures, timelines and other details regarding the

scope and nature of the data to be transmitted to the database. For that purpose, the Authority should develop draft

regulatory technical standards and submit them to the Commission. The specifications provided for in the regulatory

technical standards would determine the appropriate level of detail for specific categories of information expected to

be transmitted with respect to the various types of supervisory activities or categories of obliged entities. The data

collected with regard to obliged entities in the non-financial sector should consider the principle of proportionality

and the mandate of the Authority in the non-financial sector. In addition, considering that the Authority would

introduce oversight at Union level in the non-financial sector for the first time, and that Directive (EU) 2024/1640

requires adjustments in the national institutional framework for supervision which need to be transposed, it is

necessary to envisage a sufficient period to prepare the integration into the database of the information from

supervisory authorities in the non-financial sector. Specifically, non-financial sector data should be submitted to the

database by four years from the date of entry into force of this Regulation, which is one year after the deadline for

transposition of Directive (EU) 2024/1640. However, supervisory authorities in the non-financial sector should be

able to submit those data on a voluntary basis before that date. The personal data processed in the context of the

database should be retained for a period of up to 10 years after the date of their collection by the Authority. Such

a retention period is strictly necessary and proportionate for the purpose of supervisory activities carried out by the

Authority and supervisory authorities. The length of the data retention period also ensures that the Authority and

supervisory authorities retain access to the necessary information on the risk assessment, business activities, controls

placed on and breaches by individual obliged entities in order to carry out their duties, which requires them to access

case-related information over a longer period of time. Such a retention period is notably necessary since supervisory

authorities should take into account, among other factors, the gravity, duration and repetitiveness of the breach to

determine the level of sanctions or measures to be applied, which requires case-related information to be analysed

over a longer period of reference. Similarly, such a retention period is also necessary with regard to information

resulting from ‘fit and proper’ assessments of shareholders or members of the management body in order to ensure

that supervisory authorities have sufficient information to assess whether they are of good repute, act with honesty

and integrity, and possess the knowledge and expertise necessary to carry out their functions, and to ensure ongoing

monitoring of those conditions as required by Directive (EU) 2024/1640. Personal data should be deleted where it is

5/90

EN

OJ L, 19.6.2024

no longer necessary to keep them. In view of the purpose of the database and the use of the information contained

therein by the various participants of the AML/CFT supervisory system, it should not contain any data covered by

legal privilege.

(19) With the objective of ensuring a more effective and less fragmented protection of the Union’s financial framework,

a limited number of the riskiest obliged entities should be directly supervised by the Authority. As ML/TF risks are

not proportional to the size of the supervised entities, other criteria should be applied to identify the riskiest entities.

In particular, two categories should be considered: high-risk cross-border credit institutions and financial institutions

with activity in a significant number of Member States, selected periodically; and, in exceptional cases, any entity

whose material breaches of applicable requirements are not sufficiently or in a timely manner addressed by its

national supervisor. In such exceptional cases, either the Authority or the financial supervisors should be able to

request a transfer of supervision from national to Union level, with a proper justification. Where such requests for

transfer are submitted by the Authority, they should be examined by the Commission and either approved or

rejected by means of an official decision, taking into account the justification submitted. Where such requests for

transfer are submitted by the financial supervisors to the Authority and involve the voluntary delegation of tasks and

powers, it should be for the Authority to decide on the necessity of the transfer, and assume direct supervision of the

obliged entity or group in question where it finds that the Union’s interests and the integrity of the AML/CFT system

so require. All entities in respect of which the Authority would be exercising direct supervisory powers fall under the

category of ‘selected obliged entities’.

(20) The first category of credit institutions and financial institutions, or groups of credit institutions and financial

institutions, should be assessed every three years, based on a combination of objective criteria related to their

cross-border presence and activity and criteria related to their ML/TF risk profile. Only credit institutions or financial

institutions, or groups of credit institutions or financial institutions, which are present in a significant number of

Member States, regardless of whether they operate through establishments or under the freedom to provide services

in Member States, and for which supervision at Union level would therefore be more adequate, should be included in

the selection process.

(21) The periodic assessment of the risk profile of credit institutions and financial institutions for the purpose of selection

for direct supervision should rely on data to be provided by the financial supervisors or, in respect of already selected

obliged entities, by the Authority. In addition, the Authority should ensure the harmonised application of the

methodology by financial supervisors and coordinate the assessment of the risk profile of entities at group-wide

level. An implementing technical standard should specify the respective roles of the Authority and the financial

supervisors in the assessment process. The Authority should ensure alignment, where appropriate, between the

methodology for the assessment of the risk profile for the purpose of selection pursuant to this Regulation, and the

methodology for harmonising the assessment of the inherent and residual risk profiles of obliged entities at national

level to be developed in the regulatory technical standards adopted pursuant to Article 40(2) of Directive

(EU) 2024/1640.

(22) Given the existing wide diversity of approaches adopted by national authorities to the evaluation of the residual risk

profile of obliged entities, the process of regulatory development of a refined and detailed harmonised methodology

allowing for the assessment of residual risk with comparable outcomes is evolving and should be begun on the basis

of the work carried out by the EBA as soon as possible. Therefore, the methodology for the categorisation of residual

risk to be adopted for the first identification of selected obliged entities should aim to be more straightforward and

to harmonise the different approaches applied at national level. The Authority should review its methodology every

three years, taking into account the evolution of relevant knowledge.

(23) The final selection criterion should ensure a level playing field among directly supervised obliged entities and, to that

end, no discretion should be left to the Authority or supervisory authorities in deciding on the list of obliged entities

that are to be subject to direct supervision. Therefore, where a given assessed obliged entity operates cross-border

and falls within the high risk category pursuant to the harmonised methodology, it should be deemed to qualify as

a selected obliged entity.

(24) To provide transparency and clarity to the relevant institutions, the Authority should publish a list of the selected

obliged entities within six months of the commencement of a selection period, after verifying that the information

provided by the financial supervisors corresponds to the cross-border activities criteria and to the risk profile

methodology. Therefore it is important that at the beginning of each selection period, the relevant financial

supervisors and, if necessary, the obliged entities themselves, provide the Authority with up-to-date statistical

information to determine the list of financial institutions eligible for assessment in accordance with the assessment

entry criteria relating to their cross-border operations. In that context, the financial supervisors should inform the

6/90

EN

OJ L, 19.6.2024

Authority of the risk profile category that a financial institution falls into in their jurisdictions pursuant to the

methodology laid down in the regulatory technical standards. The Authority should then commence direct

supervision of the selected obliged entities six months after the publication of the list. That time is needed to

appropriately prepare the transfer of supervisory tasks from national to Union level, including the formation of

a joint supervisory team and the adoption of any relevant working arrangements with the relevant financial

supervisors.

(25) To ensure legal certainty and a level playing field among selected obliged entities, any selected obliged entity should

remain under the direct supervision of the Authority for at least three years, even if, after the moment of selection

and in the course of those three years, the selected obliged entity ceases to meet any of the cross-border activity or

risk-related criteria due to, for example, a potential ceasing, consolidation, expansion or re-allocation of activities

carried out through establishments or under the freedom to provide services. The Authority should also ensure that

sufficient time is allocated to the preparation by the selected obliged entities and their supervisory authorities for the

transfer of supervision from national to Union level. Therefore, each subsequent selection should commence 12

months before the expiry of the three-year period of supervision of the previously selected obliged entities.

(26) The Authority should supervise obliged entities in the financial sector having a high risk profile where such entities

operate in at least six Member States whether through establishments or under the freedom to provide services

within the Union. In such cases, supervision at Union level by the Authority would bring significant added value

compared to fragmented supervision between home and host Member States by eliminating the need for national

supervisors of home and host Member States to coordinate and align the measures taken with regard to various parts

of the same group. In order to ensure the homogeneous supervision of groups and a more granular analysis of the

risk of the cross-border entities assessed, the assessment of the ML/TF risk of obliged entities which are part of

a group should always be done at the level of the group, resulting in a single group-wide risk score to be considered

for the purposes of the selection. The entire group should then be considered as the selected obliged entity. While the

exact number of entities that could meet the risk and cross-border activities criteria for direct supervision varies and

depends on their business model and money-laundering risk profile at the moment of the assessment, it is necessary

to ensure an optimal, progressive and dynamic repartition of competences between the Union and national

authorities in the first phase of the existence of the Authority. To ensure a sufficient number and adequate range of

types of high-risk groups and entities that are supervised at Union level, the Authority should have sufficient

resources to simultaneously supervise up to 40 groups and entities, at least during the first selection process. In the

event that more than 40 entities would qualify for direct supervision based on their high risk profile, the Authority

should select from among them the 40 entities operating, whether through establishments or under the freedom to

provide services, in the highest number of Member States. In the event that that criterion is not sufficient to be able

to select 40 entities, in particular where several obliged entities operate in the same number of Member States — for

example, entities number 39, 40 and 41 all operate in the same number of Member States — the Authority should

be able to distinguish among them and should select those that have the highest ratio of volume of transactions with

third countries to their total volume of transactions. In subsequent selection processes, and building on the

experience with supervision acquired during the first selection process, it would be beneficial for the number of

entities under its supervision to increase also for the Authority to ensure complete coverage of the internal market

under its supervision. To that end, in the event that more than 40 entities would qualify for direct supervision based

on their high risk profile, the Authority should be able to, in consultation with the supervisory authorities, agree to

supervise a specific different number of entities or groups that is greater than 40. In deciding on that specific

number, the Authority should take into account its own resources in terms of its capacity to allocate or additionally

hire the necessary number of supervisory and support staff and should ensure that the increase in the financial and

human resources is feasible. At the same time, complete coverage of the internal market could be ensured by

supervising at least one entity per Member State. In the Member States where no entities are identified following the

regular selection process, the risk methodology designed for the selection process, including the criteria for choosing

between several entities with a high risk profile, should be applied in order to select one entity.

(27) The relevant actors involved in the application of the AML/CFT framework should cooperate with each other in

accordance with the duty of sincere cooperation enshrined in the Treaties. In order to ensure that the AML/CFT

supervisory system composed of the Authority and supervisory authorities functions as an integrated mechanism,

and that jurisdiction-specific risks and local supervisory expertise are duly taken into account and well utilised, direct

supervision of selected obliged entities should take place in the form of joint supervisory teams and, where

appropriate, dedicated on-site inspection teams. Those teams should be led by a staff member of the Authority

coordinating all supervisory activities of the team (‘JST coordinator’). The JST coordinator and other staff members of

7/90

EN

OJ L, 19.6.2024

the Authority allocated to the joint supervisory team should be based at the seat of the Authority but should be able

to carry out their day-to-day tasks and supervisory activities in any Member State where the selected obliged entity

has its operations. To that end, the financial supervisors should assist in ensuring smooth and flexible working

arrangements for all joint supervisory team members. The Authority should be in charge of the establishment and

composition of the joint supervisory team, and the local supervisors involved in the supervision of the entity should

ensure that a sufficient number of their staff members is appointed to the team, taking into account the risk profile

of the selected obliged entity in their jurisdiction, as well as its overall volume of activity. Each supervisor involved in

the supervision of a group should appoint a member to the joint supervisory team. However, in cases where the risk

of the obliged entity’s activities is low in a particular Member State, the financial supervisor in that Member State

should be able to choose, in agreement with the JST coordinator, not to appoint a member to the joint supervisory

team. Where no member is appointed to the joint supervisory team, the relevant financial supervisor should still

have a contact point for any joint supervisory team matters and responsibilities.

(28) To ensure that the Authority can fulfil its supervisory obligations in an efficient manner with regard to selected

obliged entities, the Authority should be able to obtain any internal documents and information necessary for the

exercise of its tasks and for that purpose have the general investigation powers afforded to all supervisory authorities

under national administrative law. To that end, the Authority should be able to address information requests to the

selected obliged entity, to natural persons employed by it, to legal persons belonging to it and to parties contracted

by it, such as: the obliged entity itself or any legal person within the obliged entity; employees of the obliged entity

and persons in comparable positions, including agents and distributors; external contractors; and third parties to

whom a selected obliged entity has outsourced its activities.

(29) The Authority should have the power to require actions, internal to an entity, to enhance the compliance of obliged

entities with the AML/CFT framework, including reinforcement of internal procedures and changes in the

governance structure, going as far as removal of members of the management body, without prejudice to the powers

of other relevant supervisory authorities of the same selected obliged entity. Following findings related to

non-compliance or partial compliance with applicable requirements by the selected obliged entity, it should be able

to impose specific measures or procedures for particular clients or categories of clients who pose high ML/TF risks.

On-site inspections should be a regular feature of such supervision and could be performed by dedicated teams. If

a specific type of on-site inspection, for instance with respect to a natural person where the business premises are the

same as the person’s private residence, requires authorisation by the national judicial authority, such authorisation

should be applied for by the Authority.

(30) The Authority should have a full range of supervisory powers in relation to directly supervised entities in order to

ensure compliance with applicable requirements. Those powers should apply in cases where the selected obliged

entity does not meet its requirements, in cases where certain requirements are not likely to be met, as well as in cases

where internal procedures and controls are not appropriate to ensure sound management of selected obliged entity’s

ML/TF risks. The exercise of those powers could be done by means of binding decisions addressed to individual

selected obliged entities.

(31) In addition to supervisory powers to apply administrative measures, and in order to ensure compliance, in any cases

of breaches of directly applicable requirements, the Authority should be able to impose pecuniary sanctions on the

selected obliged entities. For serious, repeated or systematic breaches, the Authority should always apply pecuniary

sanctions. Such sanctions should be proportionate and dissuasive, should have both punitive and deterrent effect,

and should comply with the principle of ne bis in idem. The maximum amounts of pecuniary sanctions should be in

line with those established by Directive (EU) 2024/1640 and available to all supervisory authorities across the

Union. The basic amounts of those sanctions should be determined within the limits established by the AML/CFT

framework, taking into account the nature of the requirements that have been breached. In order for the Authority

to adequately take aggravating or mitigating factors into account, adjustments to the relevant basic amount should

be possible. With the objective of achieving a timely end to the damaging business practice, the Executive Board of

the Authority should be empowered to impose periodic penalty payments to compel the relevant legal or natural

person to cease the relevant conduct. With the aim of heightening awareness of all obliged entities, by encouraging

them to adopt business practices in line with the AML/CFT framework, the pecuniary sanctions and periodic penalty

payments should be disclosed. The disclosure regime for administrative measures as well as the pecuniary sanctions

8/90

EN

OJ L, 19.6.2024

and periodic penalty payments imposed by the Authority and detailed in this Regulation should be closely aligned

with that at national level, as provided by Directive (EU) 2024/1640. The Court of Justice should have jurisdiction to

review the legality of decisions adopted by the Authority, the Council and the Commission, in accordance with

Article 263 TFEU, as well as to determine their non-contractual liability.

(32) It is important that the authorities in charge of overseeing the implementation of targeted financial sanctions at

national level are informed in a timely manner of any violation of such obligation by selected obliged entities. To that

end, the Authority should be able to share such information with the financial supervisor in the relevant Member

State and instruct it to convey such information to the national authority responsible for overseeing the

implementation of those sanctions.

(33) For non-selected obliged entities, the AML/CFT supervision is to remain primarily at national level, with national

competent authorities retaining full responsibility and accountability for direct supervision. The Authority should be

granted adequate indirect supervisory powers to ensure that supervisory actions at national level are consistent and

of a high quality across the Union. Therefore, it should carry out assessments of the state of supervisory convergence

and publish reports with its findings. It should be empowered to adopt follow-up measures in the form of guidelines

and recommendations, including individual recommendations addressed to financial supervisors as a result of the

assessment, with a view to ensuring harmonised and high-level supervisory practices across the Union. Individual

recommendations could contain suggestions of specific follow-up measures and the financial supervisor should

make every effort to comply with those measures. Where a financial supervisor does not implement the follow-up

measures, the Authority should take the adequate and necessary steps in accordance with this Regulation.

(34) The Authority should also be able to settle disagreements between financial supervisors concerning the measures to

be taken in relation to a non-selected obliged entity in the financial sector. In order to ensure constructive

cooperation, the Authority should in the first instance attempt to resolve the disagreement through a conciliation

phase with a set time limit. In the event that the conciliation phase does not achieve the desired results, the Authority

should be able to adopt a binding decision requiring those supervisors to take specific action or to refrain from

certain action, in order to settle the matter and to ensure compliance with Union law.

(35) For the purposes of safeguarding the proper functioning and effectiveness of the AML/CFT supervisory system, the

Authority should be able to identify and act in cases of systematic failures of supervision caused by breaches of

Union law resulting from the non-application or improper application of national measures transposing Union

directives. To that end, and without prejudice to the powers of the Commission to launch an infringement procedure

pursuant to the TFEU, the Authority should be able to investigate such possible breaches. Where the Authority has

established a breach, after informing the supervisor concerned and, where appropriate, giving other financial

supervisors the opportunity to provide information on the matter, the Authority should be able, if it considers it

appropriate, to issue a recommendation to the supervisor in question, outlining the measures to be taken to rectify

the breach. Where the shortcomings identified have not been remedied, the Commission should also be able to issue

an opinion requiring the supervisor to comply with the recommendation issued by the Authority.

(36) Certain obliged entities in the financial sector that do not meet the requirements of the regular selection process

might nonetheless have a high inherent or residual risk profile from the ML/TF perspective, or might take on, change

or expand activities that entail high risk, not mitigated by a commensurate level of internal controls, thus leading to

serious, repeated or systematic breaches of AML/CFT requirements. If there are indications of possible serious,

repeated or systematic breaches of applicable AML/CFT requirements, they might be a sign of gross negligence on the

part of the obliged entity. The supervisory authority should be able to adequately respond to any possible breaches

and prevent the risks from materialising and leading to gross negligence in the application of AML/CFT

requirements. However, in certain cases, a national level response might not be sufficient or timely, especially when

there are indications that serious, repeated or systematic breaches at the level of the entity have already occurred. In

those cases, the Authority should request the local supervisor to take specific measures to remedy the situation,

including requesting the local supervisor to issue financial sanctions or other coercive measures. To prevent ML/TF

risks from materialising, the deadline for action at national level should be sufficiently short.

9/90

EN

OJ L, 19.6.2024

(37) The Authority should be notified where the situation of a non-selected obliged entity with regard to its compliance

with applicable requirements and its exposure to ML/TF risks deteriorates rapidly and significantly, especially where

such deterioration could result in significant harm to the reputation of several Member States or of the Union as

a whole.

(38) The Authority should have the opportunity to request a transfer of supervisory tasks and powers relating to

a specific obliged entity on its own initiative in the case of inaction, or failure or inability to follow its instructions

within the provided deadline. Since the transfer of tasks and powers relating to an obliged entity without a specific

request addressed to the Authority by the financial supervisor would require a discretionary decision on the part of

the Authority, the Authority should address a specific request to that end to the Commission. In order for the

Commission to be able to take a decision coherent with the framework of the tasks allocated to the Authority within

the AML/CFT framework, the request of the Authority should enclose an appropriate justification, and should

specify the duration of the reallocation of tasks and powers to the Authority. The timeframe for the reallocation of

powers should correspond to the time the Authority requires to deal with the risks at entity level, and should not

exceed three years. The Authority should be able to request a prolongation of that timeframe where the breaches

identified have not been fully addressed. That prolongation should be limited to what is necessary to address those

breaches and not exceed three years. The Commission should adopt a decision transferring powers and tasks for

supervising the entity to the Authority swiftly, and in any case without undue delay. That decision should be

communicated to the European Parliament and to the Council.

(39) In order to improve supervisory practices in the non-financial sector, the Authority should carry out peer reviews of

non-financial supervisors, which should also include peer reviews of public authorities overseeing self-regulatory

bodies. To that end, the Authority should develop the methodological framework for such reviews, including rules to

avoid conflicts of interest in the conduct of peer reviews and in the drawing up of findings and regarding the

consideration to be given to evaluations by international organisations and intergovernmental bodies with

competence in the field of ML/TF prevention, when deciding on the planning of peer reviews and on their content.

With a view to fostering convergence of supervisory practices, the Authority should publish reports with findings

from those peer reviews, including shortcomings and good practices identified. Those reports could be accompanied

by guidelines or recommendations addressed to the relevant public authorities, including public authorities

overseeing self-regulatory bodies. Self-regulatory bodies should be able to participate in peer reviews where they

have expressed an interest in doing so.

(40) With the objective of increasing the efficiency of the implementation of AML/CFT measures also in the non-financial

sector, the Authority should also be able to investigate possible breaches or incorrect application of Union law by

supervisors in that sector as well as by public authorities overseeing self-regulatory bodies. Where the Authority

establishes that a breach exists, it should be able to issue a recommendation vis-à-vis the non-financial supervisor or

supervisory authority concerned specifying the measures to be taken to rectify it. Where no appropriate action has

been taken in response to that recommendation, the Authority should also be able to issue a warning to the relevant

counterparties of the supervisory authority or non-financial supervisor. The powers of the Authority to issue such

recommendations and warnings are without prejudice to the powers of the Commission to launch infringement

procedures against Member States where it detects a situation of non-implementation or poor implementation of

Union law, in accordance with the powers conferred on it under the Treaties.

(41) The Authority should also be able to settle disagreements between non-financial supervisors concerning the

measures to be taken in relation to an obliged entity in the non-financial sector. In order to ensure constructive

cooperation, the Authority should attempt to resolve disagreements through a conciliation phase with a set time

limit. At the end of the conciliation phase, the Authority should issue an opinion on how to settle the disagreement.

(42) In light of the cross-border nature of ML/TF, effective and efficient cooperation, information exchange and

coordinated action between FIUs are of crucial importance. In order to improve such coordination and cooperation,

the Authority should be entrusted with tasks and powers enabling the Authority and FIUs to jointly constitute

a support and coordination mechanism for FIUs. To that end, the Authority should have sufficient human, financial

and IT resources, which should, where necessary, be organisationally separated from the staff carrying out the tasks

relating to the Authority’s supervisory activities. The success of the support and coordination mechanism for FIUs

10/90

EN

OJ L, 19.6.2024

depends on the Authority and FIUs cooperating in good faith and exchanging all relevant information required to

fulfil their respective tasks. In the case of a disagreement between FIUs in relation to cooperation and the exchange

of information, the Authority should be informed accordingly and should be able to act as a mediator between the

relevant FIUs.

(43) In order to analyse suspicious activity affecting multiple jurisdictions, FIUs that received linked reports should be

able to efficiently conduct joint analyses of cases of common interest. To that end, the Authority should be able to

propose, initiate, coordinate and support with all appropriate means joint analyses of cross-border suspicious

transactions or activities. A joint analysis should be triggered where there is a need for one pursuant to the relevant

provisions of Union law and in accordance with the methods and criteria for the selection and prioritisation of cases

relevant for the conduct of joint analyses developed by the Authority. FIUs should make every effort to accept the

Authority’s invitation to take part in a joint analysis. An FIU that declines to take part in a joint analysis should

explain the reasons for its refusal to the Authority. Where relevant, those reasons should be provided to the FIU that

identified the need to carry out the joint analysis. Upon the express consent of the FIUs participating in the joint

analysis, the staff of the Authority supporting the conduct of the joint analysis should be granted access to all

necessary data and information, including data and information pertaining to the subject matter of the case.

(44) The Authority should be able to request FIUs to initiate a joint analysis under specific circumstances, including where

information has been brought to the attention of the Authority by whistleblowers or investigative journalists or

where the joint analysis of complex and cross-border cases would add value. FIUs that have been requested to

participate in a joint analysis should respond to the Authority without delay indicating whether they are willing to

participate in the joint analysis and, if they are not willing to participate, providing their reasons therefor.

(45) Identifying, at an early stage, links with information held by other Union bodies, offices and agencies and by relevant

third parties is critical to ensure that the most relevant cross-border cases, including those requiring extensive

operational analysis, are selected. In that respect, and subject to the consent of all FIUs that have indicated their

willingness to take part in a joint analysis, the staff of the Authority should be authorised to cross-match, on

a hit/no-hit basis, the data of those FIUs with the information made available by other FIUs and Union bodies, offices

and agencies, including Europol. The Authority should ensure that the most advanced state-of-the-art technology

available, including privacy-enhancing technologies, is used for the purposes of cross-matching information on

a hit/no-hit basis. The match functionality of the FIU.net system is an example of a solution which allows an FIU to

establish in real time whether a subject whose data is pseudonymised is already known by the FIU of another

country or by a Union body, office or agency, which avoids the unnecessary processing of personal data. In the case

of a hit, the Authority should share the information that generated a hit with the FIUs involved in the joint analysis.

In those circumstances, the Authority should also share the information that triggered the hit with Union bodies,

offices and agencies, subject to the prior consent of the FIU providing the information.

(46) In order to ensure that the process for establishing a joint analysis is fast and efficient, the Authority should be

responsible for the establishment and composition of the joint analysis team and its coordination.

(47) Effective operational cooperation in cross-border cases between the Authority and other relevant Union bodies,

offices and agencies is of crucial importance. In order to ensure that, where relevant, the results of joint analyses of

cross-border cases are followed up effectively, the Authority should report the results of joint analyses to the

European Public Prosecutor’s Office (EPPO) or transmit them to the European Anti-Fraud Office (OLAF) where the

results of a joint analysis indicate that a criminal offence, in respect of which the EPPO or OLAF could exercise their

competences, may have been committed. Furthermore, subject to the agreement of all FIUs participating in a joint

analysis, the Authority should also be able to transmit the results of that joint analysis to Europol and Eurojust where

the results of that joint analysis indicate that a criminal offence may have been committed in respect of which

Europol and Eurojust could exercise their competences. The Authority should be able to exchange strategic

information, such as typologies and risk indicators, with the EPPO, OLAF, Europol and Eurojust.

11/90

EN

OJ L, 19.6.2024

(48) Pursuant to Article 24 of Council Regulation (EU) 2017/1939 (⁸), the Authority is to report without undue delay to

the EPPO any criminal conduct in respect of which it could exercise its competence in accordance with Article 22

and Article 25(2) and (3) of that Regulation. Pursuant to Article 8 of Regulation (EU, Euratom) No 883/2013 of the

European Parliament and of the Council (⁹), the Authority is to transmit to OLAF without delay any information

relating to possible cases of fraud, corruption or any other illegal activity affecting the financial interests of the

Union. In accordance with the applicable provisions of the legal instruments governing them, the EPPO and OLAF

should inform the Authority of the steps taken in relation to the information provided and any relevant outcomes.

(49) In order to improve the effectiveness of joint analyses, the Authority should be able to establish methods and

procedures for the conduct of joint analyses. Based on the feedback provided by the FIUs involved in joint analyses,

the Authority should be able to review their conduct, in order to identify the lessons learnt. Such reviews should

enable the Authority to issue follow-up reports and conclusions to be shared with all FIUs, without disclosing

confidential or restricted information, with the aim of further refining and improving the methods and procedures

for the conduct of joint analyses, ultimately improving and promoting the analyses themselves.

(50) In order to facilitate and improve cooperation between FIUs and the Authority, including for the purposes of

conducting joint analyses, FIUs should delegate one or more staff members per FIU to the Authority (‘national FIU

delegates’’). The national FIU delegates should support the staff of the Authority in carrying out all the tasks relating

to FIUs, including the conduct of joint analyses and the preparation of threat assessments and strategic analyses of

ML/TF threats, risks and methods. While remaining under the authority of their delegating FIU, FIU delegates should

be operationally independent and autonomous when carrying out their tasks and duties under this Regulation. They

should not seek nor take instructions from Union institutions, bodies, offices or agencies, or from governments or

other public or private bodies. Their tasks and duties should be without prejudice to the security and confidentiality

rules of FIUs.

(51) Other than joint analyses, the Authority should encourage and facilitate various forms of mutual assistance between

FIUs, including training and staff exchanges in order to improve capacity building and enable the exchange of

knowledge and good practices amongst FIUs. The Authority’s role in supporting FIUs in their activities grants it

a unique position to facilitate access by FIUs to databases and tools that are instrumental to improve the quality of

financial intelligence. The Authority should use its position to negotiate, on behalf of all FIUs, contracts with

providers of those tools and databases, as well as relevant training for its staff and the staff of FIUs. The Authority

should also have a mediation role in the event of disagreements between FIUs. To that end, FIUs should be able to

refer disagreements related to cooperation, including the exchange of information between FIUs, to the Authority for

mediation in the event that they fail to solve those disagreements by means of direct contact and dialogue.

(52) The Authority should manage, host and maintain FIU.net. The Authority should keep the system up-to-date, taking

into account the needs expressed by FIUs. To that end, the Authority should ensure that at all times the most

advanced state-of-the-art technology available is used for the development of FIU.net, subject to a cost-benefit

analysis. As the Authority should rely on third-party service providers only for non-essential tasks, it should not

outsource the hosting and management of FIU.net. The Authority should not have access to the content of the

information exchanged within FIU.net, except where it is an intended recipient of such information. In order to be

able to send, receive and cross-match information, the Authority should be provided with an operational node in the

FIU.net system.

(53) In order to establish consistent, efficient and effective supervisory and FIU-related practices and ensure the common,

uniform and coherent application of Union law, the Authority should be able to issue guidelines and

(⁸)

(⁹)

Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the

European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1).

Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning

investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European

Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).

12/90

EN

OJ L, 19.6.2024

recommendations addressed to all, or a category of, obliged entities and all, or a category of, supervisory authorities

and FIUs. The guidelines and recommendations could be issued pursuant to a specific empowerment in the

applicable Union acts, or on the own initiative of the Authority, where there is a need to strengthen the AML/CFT

framework at Union level.

(54) To provide optimal assistance to FIUs and thereby increase the effectiveness of the support and coordination

mechanism for FIUs, the Authority and FIUs should be able to strengthen the effectiveness of FIU activities,

identifying and promoting best practices. Peer reviews would be the best instrument to allow for an objective

assessment of such activities and practices, and therefore the Authority should be tasked with organising such peer

reviews, based on methods and rules of procedure for the conduct of such reviews, to be developed centrally by the

Authority. To be useful, peer reviews should be comprehensive and cover all relevant aspects of the tasks of FIUs set

out in Chapter III of Directive (EU) 2024/1640. Therefore, they should cover, inter alia, the adequacy of FIUs’

resources, the measures implemented to ensure FIUs’ operational independence and autonomy, the measures put in

place to protect the security and confidentiality of the information processed by FIUs, the functions related to receipt

of suspicious transaction reports, the functions related to the operational and strategic analyses of FIUs and their

dissemination, and domestic and cross-border cooperation arrangements and practices of FIUs. The peer reviews

could result in the issuance by the Authority of guidelines and recommendations aimed at promoting any identified

best practices and addressing any shortcomings.

(55) The establishment of a solid governance structure within the Authority is essential for ensuring the effective exercise

of the tasks granted to the Authority, and for an efficient and objective decision-making process. Due to the

complexity and variety of the tasks conferred on the Authority in both the supervision and FIU areas, the decisions

cannot be taken by a single governing body, as is often the case in decentralised agencies. Whereas certain types of

decisions, such as decisions on the adoption of common instruments, need to be taken by representatives of the

appropriate authorities or FIUs and respect the voting rules of the TFEU, certain other decisions, such as the

decisions in relation to individual selected obliged entities or individual authorities, require

a

smaller

decision-making body, whose members should be subject to appropriate accountability arrangements. Therefore,

the Authority should have a General Board and an Executive Board.

(56) In order to ensure the relevant expertise, the General Board should have two compositions. For all decisions on the

adoption of acts of general application such as draft regulatory and implementing technical standards, guidelines,

recommendations, and opinions relating to FIUs, it should be composed of the heads of FIUs of Member States

(‘General Board in FIU composition’). For the same types of acts relating to the direct or indirect supervision of

financial and non-financial obliged entities, it should be composed of the heads of AML/CFT supervisors that are

public authorities (‘General Board in supervisory composition’). All parties represented in the General Board should

make efforts to limit the turnover of their representatives, in order to ensure continuity of the Board’s work. All

parties should aim to achieve a gender balanced representation on the General Board.

(57) For a smooth decision-making process, the tasks should be clearly divided: the General Board in FIU composition

should decide on draft regulatory and implementing technical standards, guidelines and similar measures for FIUs,

while the General Board in supervisory composition should decide on draft regulatory and implementing technical

standards, guidelines and similar measures for obliged entities. The General Board in supervisory composition

should also be able to provide, in accordance with procedures to be defined in agreement with the Executive Board,

its opinion to the Executive Board on all draft decisions in relation to individual selected obliged entities proposed by

the Joint Supervisory Teams. In the absence of such an opinion, the decisions should be taken by the Executive

Board. Whenever the Executive Board deviates in its final decision from the opinion provided by the General Board

in supervisory composition, it should explain the reasons therefor in writing.

(58) For the purposes of voting and taking decisions, each Member State should have one voting representative.

Therefore, the heads of the supervisory authorities of obliged entities in each Member State should appoint

a permanent representative as the voting member of the General Board in supervisory composition. Alternatively,

depending on the subject matter of the decision or agenda of a given General Board meeting, the supervisory

authorities of a Member State should be able to appoint an ad hoc representative. The practical arrangements related

to decision-making and voting by the General Board members in supervisory composition should be laid down in

the rules of procedure of the General Board, to be developed by the Authority.

13/90

EN

OJ L, 19.6.2024

(59) In order for the General Board in FIU composition to get assistance in the preparation of all relevant decisions under

its mandate, it should be supported by a standing committee with a more limited composition. The standing

committee should support the work of the General Board in FIU composition and perform its duties solely in the

interest of the Union as a whole. It should work in close cooperation with FIU delegates and the staff of the

Authority in charge of tasks related to FIUs, and in full transparency vis-à-vis the General Board in FIU composition.

(60) The Chair of the Authority should chair the General Board meetings and have a right to vote when decisions are

taken by simple majority unless otherwise provided for by this Regulation. The Commission should be a non-voting

member on the General Board. To establish good cooperation with other relevant institutions, the General Board

should also be able to admit other non-voting observers — in particular representatives nominated by the

Supervisory Board of the European Central Bank (ECB) and of each of the three European Supervisory Authorities,

namely, the EBA, the European Supervisory Authority (European Insurance and Occupational Pensions Authority —

EIOPA), established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council (¹⁰), and the

European Supervisory Authority (European Securities and Markets Authority — ESMA), established by Regulation

(EU) No 1095/2010 of the European Parliament and of the Council (¹¹) (collectively, ‘the ESAs’) for the General Board

in supervisory composition and OLAF, Europol, Eurojust and the EPPO for the General Board in FIU composition —

where matters that fall under their respective mandates are discussed or decided upon. To ensure that relevant Union

institutions, bodies, offices and agencies are invited to the meetings where their presence would be required or

beneficial, the rules of procedure of the General Board should clearly define the circumstances under which those

Union institutions, bodies, offices and agencies, as well as other observers, should be able to be admitted to the

meetings. When drafting the relevant parts of the rules of procedure, the Authority should agree with those Union

institutions, bodies, offices and agencies on the terms and conditions of their participation. Such an agreement is

presumed where the terms and conditions for participation are already included in the bilateral working

arrangements or memoranda of understanding mandated by this Regulation. To allow a smooth decision-making

process, decisions of the General Board should be taken by simple majority, except for decisions concerning draft

regulatory and implementing technical standards, guidelines and recommendations, which should be taken by

a qualified majority of Member State representatives in accordance with the voting rules of the Treaties.

(61) The governing body of the Authority should be the Executive Board, composed of the Chair of the Authority and of

five full-time members, including the Vice-Chair, and appointed by the European Parliament and the Council upon

a proposal of the General Board based on the shortlist of qualified candidates drawn up by the Commission. With

the aim of ensuring a speedy and efficient decision-making process, the Executive Board should be in charge of the

planning and execution of all tasks of the Authority except where specific decisions are expressly allocated to the

General Board. In order to ensure the objectivity and appropriate rapidity of the decision-making process in the area

of direct supervision of selected obliged entities, the Executive Board should take all binding decisions addressed to

selected obliged entities. The representatives of the financial supervisors where the entity is established should be

able to attend the deliberations of the Executive Board. In addition, together with a representative of the

Commission, the Executive Board should be collectively responsible for the administrative and budgetary decisions

of the Authority.

(62) To allow for swift decisions, all decisions of the Executive Board, including decisions where the Commission has

a right to vote, should be taken by simple majority, with the Chair of the Authority holding a casting vote in the

event of a tied vote. To ensure sound financial management of the Authority, with respect to decisions where the

Commission has a right to vote and the Executive Board deviates from the opinion of the Commission, the Executive

Board should be able to provide a thorough justification for such deviation.

(63) To ensure the independent functioning of the Authority, the five full-time members of the Executive Board and the

Chair of the Authority should act independently and in the interest of the Union as a whole. They should behave,

both during and after their term of office, with integrity and discretion as regards the acceptance of certain

appointments or benefits. To avoid giving the impression that members of the Executive Board of the Authority

might use their position as members of the Executive Board to obtain a high-ranking appointment in the private

10

Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European

Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and

repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48).

Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European

Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing

Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

11

14/90

EN

OJ L, 19.6.2024

sector after their term of office, and to prevent any post-public employment conflicts of interests, a cooling-off

period for the five full-time members of the Executive Board as well as for the Chair of the Authority, should be

introduced.

(64) The Chair of the Authority should be appointed on the basis of objective criteria by the Council after approval by the

European Parliament. Both the European Parliament and the General Board should be able to conduct hearings of

the candidates for the position of Chair of the Authority, shortlisted by the Commission. In order to ensure an

informed choice of the best candidate by the European Parliament and the Council and a high degree of transparency

in the appointment process, the General Board should be able to issue a public opinion on the results of its hearings,

or transmit its opinion to the European Parliament, the Council and the Commission. The Chair should represent the

Authority externally and should report on the execution of the Authority’s tasks.

(65) The Executive Director of the Authority should be appointed by the Executive Board based on a shortlist drawn up

by the Commission. To enable an optimal choice, the shortlist should comprise at least two candidates, selected by

the Commission based on the grounds of merit and documented high-level administrative, budgetary and

management skills, to be demonstrated by the shortlisted candidates during an open selection procedure. The

Executive Director of the Authority should be a senior administrative staff member of the Authority, in charge of the

day-to-day management of the Authority, and responsible for budget administration, procurement, and recruitment

and staffing.

(66) Equality between women and men and diversity are fundamental values of the Union, which it promotes across the

whole range of Union actions. While progress has been made in those areas over time, more is needed in order to

achieve balanced representation in decision-making, whether at Union or national level. The Authority’s main

governing body, the Executive Board, should be collegial and should be composed of the Chair of the Authority and

five other independent members, while the day-to-day management should be entrusted to an Executive Director. All

those persons should be selected on the basis of an open selection procedure primarily guided by individual

merit-based criteria. At the same time, it is intended that the appointments collectively result in the Authority being

collegially steered by a group with sufficiently diverse expertise and background and gender-balanced representation.

Considering that the Commission is tasked with the preparation of the shortlists of candidates for the positions of

Chair of the Authority, member of the Executive Board and Executive Director, it should be guided by an imperative

to consider the collective outcome of the appointments. Specifically, the shortlisted candidates should enable the

appropriate appointing authorities to make appointments that ultimately enable sufficient diversity and gender

balance among top management of the Authority.

(67) To protect effectively the rights of parties concerned, for reasons of procedural economy, and to reduce the burden

on the Court of Justice of the European Union, the Authority should provide natural and legal persons with the

possibility of requesting a review of decisions taken under the direct supervision powers conferred on the Authority

by this Regulation and addressed to them, or which are of direct and individual concern to them. The independence

and objectivity of the opinions given by the Administrative Board of Review should be, among others, ensured by its

composition of five independent and suitably qualified persons.

(68) It is necessary to provide the Authority with the requisite human and financial resources so that it can fulfil the

objectives, tasks and responsibilities assigned to it under this Regulation. To guarantee the proper functioning of the

Authority, funding should be provided, depending on the tasks and functions, by a combination of fees levied on

certain obliged entities and a contribution from the Union budget. To ensure that the Authority can fulfil its tasks as

direct or indirect supervisor of obliged entities, an adequate mechanism for the determination and collection of fees

should be introduced. As regards the fees levied on selected obliged entities and certain non-selected obliged entities,

the methodology for their calculation and the process of collection of fees should be developed in a delegated act of

the Commission. The fees levied on certain obliged entities should be calculated according to the principle of

proportionality and taking into account, in particular, whether the obliged entities have qualified for direct

supervision, their risk profile and their turnover. The methodology should be calibrated in such a way as to ensure

that a lower risk profile results in a smaller fee contribution relative to the size of the entity. The contribution from

the Union budget is to be decided by the budgetary authority of the Union through the budgetary procedure. To that

end, the Authority should submit to the Commission a statement of estimates. It should also adopt financial rules

after consulting the Commission.

15/90

EN

OJ L, 19.6.2024

(69) The rules on establishment and implementation of the budget of the Authority, as well as the presentation of the

annual accounts of the Authority, should follow the provisions of Commission Delegated Regulation

(EU) 2019/715 (¹²) as regards cooperation with the EPPO and the effectiveness of OLAF’s investigations.

(70) In order to prevent and combat effectively internal fraud, corruption or any other illegal activity within the

Authority, it should be subject to Regulation (EU, Euratom) No 883/2013 as regards cooperation with the EPPO and

the effectiveness of OLAF investigations. The Authority should accede to the Interinstitutional Agreement of 25 May

1999 between the European Parliament, the Council of the European Union and the Commission of the European

Communities concerning internal investigations by the European Anti-fraud Office (OLAF) (¹³), which should be able

to carry out on-the-spot checks within the area of its competence.

(71) As stated in the Communication of the Commission of 7 February 2013 entitled ‘Cybersecurity Strategy of the

European Union: An Open, Safe and Secure Cyberspace’, it is essential to ensure a high level of cyber resilience in all

Union institutions, bodies, offices and agencies due to the increasingly hostile threat environment. The Executive

Director should thus ensure appropriate IT risk management, a strong internal IT governance and sufficient IT

security funding. As a rule, at least 10 % of the Authority’s IT expenditure should be transparently allocated to direct

IT security. The contribution to the Cybersecurity Service for the Union institutions, bodies, offices and agencies

(CERT-EU) could be counted in that minimum expenditure requirement. The Authority should work closely with

CERT-EU and report major incidents within 24 hours to CERT-EU as well as to the Commission.

(72) The Authority should be accountable to both the European Parliament and the Council for the execution of its tasks

and the implementation of this Regulation. The Authority should submit a report in that respect to the European

Parliament, to the Council and to the Commission on an annual basis.

(73) The staff of the Authority should be composed of temporary agents, contractual agents and seconded national

experts, including the national delegates placed at the disposition of the Authority by FIUs but that remain under the

authority of their delegating FIU. The Authority, in agreement with the Commission, should adopt the relevant

implementing measures in accordance with the arrangements provided for in Article 110 of the Staff Regulations of

Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (¹⁴) (the ‘Staff

Regulations’).

(74) To ensure that confidential information is treated as such, all members of the governing bodies of the Authority, all

staff of the Authority, including seconded staff and staff placed at the disposition of the Authority, as well as any

persons carrying out tasks for the Authority on a contractual basis, should be subject to the obligation of

professional secrecy, including any confidentiality restrictions and obligations stemming from the relevant

provisions of Union law, and related to the specific tasks of the Authority. However, confidentiality and professional

secrecy obligations should not prevent the Authority from cooperating with, exchanging or disclosing information

to other relevant Union or national authorities or bodies, where it is necessary for the performance of their

respective tasks and where such cooperation and exchange of information obligations are envisaged in Union law.

(75) Without prejudice to the confidentiality obligations that apply to the staff of the Authority and its representatives in

accordance with the relevant provisions of Union law, the Authority should be subject to Regulation

(EC) No 1049/2001 of the European Parliament and of the Council (¹⁵). In line with the confidentiality and

professional secrecy restrictions related to supervisory tasks and to FIU support and coordination tasks of the

Authority, public access to documents of the European Parliament, Council and Commission provided for in that

Regulation should not be extended to confidential information handled by the staff of the Authority. In particular,

any operational data, or information related to such operational data, of the Authority and of the FIUs that is

handled by the staff of the Authority as a result of carrying out the tasks and activities related to support and

coordination of FIUs should be deemed confidential. With regard to supervisory tasks, access to information or data

of the Authority, of the financial supervisors, or of the obliged entities obtained as a result of carrying out the tasks

and activities related to direct supervision should in principle also be treated as confidential and not subject to

12

Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set

up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European

Parliament and of the Council (OJ L 122, 10.5.2019, p. 1).

OJ L 136, 31.5.1999, p. 15.

OJ L 56, 4.3.1968, p. 1.

Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European

Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

16/90

EN

OJ L, 19.6.2024

disclosure. However, confidential information that relates to a supervisory procedure should be able to be fully or

partially disclosed to the obliged entities which are parties to that supervisory procedure, subject to the legitimate

interest of other persons in the protection of their business secrets.

(76) Without prejudice to any specific language arrangements that might be adopted within the AML/CFT supervisory

system and with selected obliged entities, Council Regulation No 1 (¹⁶) should apply to the Authority and any

translation services which might be required for the functioning of the Authority, other than interpretation, should

be provided by the Translation Centre for the Bodies of the European Union.

(77) Without prejudice to the obligations of Member States and their authorities, the processing of personal data on the

basis of this Regulation for the purposes of the prevention of ML/TF should be considered necessary for the

performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority

under Article 5 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (¹⁷) and Article 6 of

Regulation (EU) 2016/679 of the European Parliament and of the Council (¹⁸). Regulation (EU) 2018/1725 requires

the Commission to consult the European Data Protection Supervisor when preparing delegated or implementing

acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of

personal data. That might be the case for the regulatory and implementing technical standards to be developed by

the Authority. In order to ensure a smooth process for the preparation and adoption of those acts, where the

Authority considers that there is an added value in consulting the European Data Protection Supervisor already at

the stage of the development of those acts, it should inform the Commission thereof and obtain its authorisation to

proceed with the consultation.

(78) Reporting of irregularities by employees of obliged entities or groups can provide the Authority with critical

information on the overall level of compliance by credit institutions and financial institutions across the Union with

AML/CFT requirements. Similarly, reporting by employees of supervisory authorities, self-regulatory bodies

performing supervisory functions and FIUs can assist the Authority in its role of ensuring high-quality supervision

and supporting the development of effective financial intelligence across the internal market. However, those

employees need to have sufficient assurances that their reports will be treated with a high level of confidentiality and

that their personal data will not be disclosed under any circumstances. To that end, the Authority should have in

place measures to maintain the confidentiality of reports of irregularities. In establishing its internal rules for the

handling of reports concerning possible breaches of AML/CFT rules, the Authority should ensure that reports by

employees of selected obliged entities are prioritised and may set out procedures to deal with repetitive reports, high

inflows of reports and situations where reports are submitted, which concern breaches that fall outside the

Authority’s mandate. In addition, persons reporting breaches relating to AML/CFT to the Authority should qualify

for the protection provided under Directive (EU) 2019/1937 of the European Parliament and of the Council (¹⁹),

provided that the conditions established therein are fulfilled.

(79) The Authority should establish cooperative relations with the relevant Union bodies, offices and agencies, including

Europol, Eurojust, the EPPO and the ESAs. To improve cross-sectoral supervision and promote better cooperation

between prudential and AML/CFT supervisors, the Authority should also establish cooperative relations with the

authorities competent for prudential supervision of obliged entities in the financial sector, including the ECB with

16

Council Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958,

p. 385/58).

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural

persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free

movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons

with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General

Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who

report breaches of Union law (OJ L 305, 26.11.2019, p. 17).

17/90

EN

OJ L, 19.6.2024

regard to matters relating to the tasks conferred on it by Council Regulation (EU) No 1024/2013 (²⁰), as well as with

resolution authorities as defined in Article 3 of Directive 2014/59/EU of the European Parliament and the

Council (²¹), designated authorities as defined in Article 2(1), point (18), of Directive 2014/49/EU of the European

Parliament and the Council (²²) and competent authorities as defined in Article 3(1), point (35), of Regulation

(EU) 2023/1114 of the European Parliament and of the Council (²³). To that end, the Authority should be able to

conclude agreements or memoranda of understanding with such bodies, including with regard to any information

exchange which is necessary for the fulfilment of the respective tasks of the Authority and those bodies. The

Authority should make best efforts to share information with such bodies on their request, within the limits posed

by legal constraints, including data protection legislation. In addition, the Authority should enable effective

information exchange between all financial supervisors in the AML/CFT supervisory system and the aforementioned

authorities and such cooperation and information exchanges should take place in a structured and efficient way.

(80) Partnerships for information sharing have become increasingly important cooperation and information exchange

fora between competent authorities and obliged entities in some Member States. Given the Authority’s mandate in

preventing and detecting money laundering, its predicate offences and terrorist financing, it should be possible for

the Authority to set up a partnership for information sharing in order to pursue that goal. Information exchanged

within the scope of a partnership for information sharing should be consistent with the scope of the Authority’s

mandate. Where the Authority would act as direct supervisor of selected obliged entities or in support to FIUs which

are part of a partnership for information sharing in any Member State, it could be beneficial for the Authority to also

participate therein, under the conditions determined by the relevant national public authority or authorities that set

up such partnership for information sharing and with their express agreement.

(81) Considering that cooperation between supervisory, administrative and law enforcement authorities is crucial in

order to successfully combat ML/TF, and certain Union authorities and bodies have specific tasks or mandates in that

area, the Authority should ensure that it is able to cooperate with such authorities and bodies, in particular OLAF,

Europol, Eurojust, and the EPPO. If there is a need to establish specific working arrangements or conclude

memoranda of understanding between the Authority and those authorities and bodies, the Authority should be able

to do so. The arrangements should be of a strategic and technical nature, should not imply the sharing of any

confidential or operational information in possession of the Authority and should account for tasks already carried

out by the other Union institutions, bodies, offices or agencies as regards the prevention of and fight against ML/TF.

(82) Since predicate offences as well as the crime of money laundering itself often are of a global nature, and given that

Union obliged entities also operate with and in third countries, effective cooperation with all relevant third-country

authorities in the areas of both supervision and functioning of FIUs are crucial for strengthening the Union

AML/CFT framework. Given the Authority’s unique combination of direct and indirect supervision and FIU

cooperation-related tasks and powers, it should be able to take an active role in such external cooperation

arrangements. Specifically, the Authority should be empowered to develop contacts and enter into administrative

arrangements with authorities in third countries that have regulatory, supervisory and FIU-related competences. The

Authority’s role could be particularly beneficial in cases where the interaction of several Union public authorities and

FIUs with third-country authorities concerns matters within the scope of the Authority’s tasks. In such cases, the

Authority should have a leading role in facilitating that interaction.

20

Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning

policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery

and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC,

2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations

(EU) No 1093/2010 and (EU) No 648/2012 of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190).

Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes (OJ L 173,

12.6.2014, p. 149).

Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and

amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150,

9.6.2023, p. 40).

18/90

EN

OJ L, 19.6.2024

(83) Given its tasks and powers in the field of AML/CFT, the Authority is well placed to support the action of the

Commission in international fora, including the FATF, with a view to promoting a united, common, consistent and

effective representation of the Union’s interests in such fora. Therefore, the Authority should assist the Commission

in its activities as member of the FATF, and contribute to the representation of the Union and the defence of its

interests in international fora. In view of the importance of the mutual evaluations carried out by the FATF and the

Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism of the

Council of Europe — MONEYVAL, and where those evaluations concern Member States, the staff of the Authority

should make themselves available and cooperate with the assessment teams responsible for carrying out the

evaluations, where needed.

(84) Since it is intended that the Authority has a full range of powers and tasks related to direct and indirect supervision

and oversight of all obliged entities, it is necessary that those powers remain consolidated within one Union body

and do not give rise to conflicting competences with other Union bodies. Therefore, the EBA should not retain its

tasks and powers related to AML/CFT once this Regulation becomes fully applicable, and the corresponding articles

in Regulation (EU) No 1093/2010 should be deleted. The resources allocated to the EBA for the fulfilment of those

tasks and powers should be transferred to the Authority. Considering that all three ESAs should cooperate with the

Authority, and should be able to attend the meetings of the General Board in supervisory composition as observers,

the same possibility should be afforded to the Authority in respect of meetings of the Board of Supervisors of the

ESAs. In cases where the respective Boards of Supervisors discuss or decide on matters that are relevant for the

execution of the Authority’s tasks and powers, the Authority should be able to participate in their meetings as an

observer. The articles on the compositions of the Board of Supervisors in Regulations (EU) No 1093/2010,

(EU) No 1094/2010 and (EU) No 1095/2010 should therefore be amended accordingly.

(85) In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 TFEU

should be delegated to the Commission in respect of the rules of procedure for the exercise of the power to impose

pecuniary sanctions or periodic penalty payments, in respect of detailed rules on the limitation periods for the

imposition and enforcement of penalties, as well as in respect of the establishment of a methodology for calculating

the amount of the fee levied on each selected and non-selected obliged entity subject to fees and the procedure for

collecting those fees. It is of particular importance that the Commission carry out appropriate consultations during

its preparatory work, including at expert level, and that those consultations be conducted in accordance with the

principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (²⁴). In particular, to

ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all

documents at the same time as Member States’ experts, and their experts systematically have access to meetings of

Commission expert groups dealing with the preparation of delegated acts.

(86) The Authority should assume most of its tasks and powers in accordance with this Regulation by 1 July 2025. Direct

supervision of selected obliged entities should commence as of 2028. This should give the Authority sufficient time

to establish its headquarter in the Member State as determined by this Regulation.

(87) Since the objectives of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason

of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance

with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with

the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in

order to achieve those objectives.

(88) The ECB delivered an opinion on 16 February 2022 (²⁵).

(89) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation

(EU) 2018/1725 and delivered an opinion on 22 September 2021 (²⁶),

24

OJ L 123, 12.5.2016, p. 1.

OJ C 210, 25.5.2022, p. 5.

OJ C 524, 29.12.2021, p. 10.

25

26

19/90

EN

OJ L, 19.6.2024

HAVE ADOPTED THIS REGULATION:

CHAPTER I

ESTABLISHMENT, LEGAL STATUS AND DEFINITIONS

Article 1

Establishment and scope of action

1.

The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (‘the Authority’) is hereby

established.

2.

The Authority shall act within the powers conferred on it by this Regulation, in particular those set out in Article 6,

and within the scope of Regulation (EU) 2023/1113, Directive (EU) 2024/1640 and Regulation (EU) 2024/1624, as well as

all directives, regulations and decisions based on those acts, of any further legally binding Union act which confers tasks on

the Authority, and of national legislation transposing Directive (EU) 2024/1640, and other directives conferring tasks on

supervisory authorities.

3.

The objective of the Authority shall be to protect the public interest, the stability and integrity of the Union’s financial

system, and the proper functioning of the internal market by:

(a) preventing the use of the Union’s financial system for the purposes of money laundering and terrorist financing

(‘ML/TF’);

(b) contributing to the identification and assessment of ML/TF risks and threats across the internal market, as well as risks

and threats originating from outside the Union that impact, or have the potential to impact, the internal market;

(c) ensuring high-quality supervision in the area of anti-money laundering and countering the financing of terrorism

(‘AML/CFT’) across the internal market;

(d) contributing to supervisory convergence in the area of AML/CFT across the internal market;

(e) contributing to the harmonisation of practices in the detection of suspicious transactions or activities by Financial

Intelligence Units (‘FIUs’);

(f) supporting and coordinating the exchange of information between FIUs, and between FIUs and other competent

authorities.

The provisions of this Regulation are without prejudice to the powers of the Commission, in particular pursuant to

Article 258 TFEU, to ensure compliance with Union law.

Article 2

Definitions

1.

For the purposes of this Regulation, in addition to the definitions set out in Article 2 of Regulation (EU) 2024/1624

and Article 2 of Directive (EU) 2024/1640, the following definitions apply:

(1) ‘selected obliged entity’ means a credit institution, a financial institution, or a group of credit institutions or financial

institutions at the highest level of consolidation in the Union in accordance with applicable accounting standards,

which is under direct supervision by the Authority pursuant to Article 13;

(2) ‘non-selected obliged entity’ means a credit institution, a financial institution, or a group of credit institutions or

financial institutions at the highest level of consolidation in the Union in accordance with applicable accounting

standards, other than a selected obliged entity;

(3) ‘AML/CFT supervisory system’ means the Authority and the supervisory authorities in Member States;

(4) ‘non-AML/CFT authority’ means:

20/90

EN

OJ L, 19.6.2024

(a) a competent authority as defined in Article 4(1), point (40), of Regulation (EU) No 575/2013 of the European

Parliament and of the Council (²⁷);

(b) the European Central Bank (ECB), when it carries out the tasks conferred on it by Regulation (EU) No 1024/2013;

(c) a resolution authority designated in accordance with Article 3 of Directive 2014/59/EU;

(d) a designated authority as defined in Article 2(1), point (18), of Directive 2014/49/EU;

(e) a competent authority as defined in Article 3(1), point (35), of Regulation (EU) 2023/1114.

Article 3

Legal status

1.

2.

The Authority shall be a Union body with legal personality.

In each Member State, the Authority shall enjoy the most extensive legal capacity accorded to legal persons under

national law. It may, in particular, acquire or dispose of movable and immovable property and be a party to legal

proceedings.

3.

The Authority shall be represented by its Chair.

Article 4

Seat

The Authority shall have its seat in Frankfurt am Main, Germany.

CHAPTER II

TASKS AND POWERS OF THE AUTHORITY

SECTION 1

Tasks and powers

Article 5

Tasks

1.

The Authority shall perform the following tasks with respect to ML/TF risks facing the internal market:

(a) monitor developments across the internal market and assess threats, vulnerabilities and risks in relation to ML/TF;

(b) monitor developments in third countries and assess threats, vulnerabilities and risks in relation to their AML/CFT

systems that have an actual or potential impact on the internal market;

(c) collect and analyse information, from its own supervisory activities and those of the supervisors and supervisory

authorities, on weaknesses identified in the application of AML/CFT rules by obliged entities, the risk exposure of

obliged entities, the sanctions imposed and the remedial actions taken;

27

Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit

institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

21/90

EN

OJ L, 19.6.2024

(d) establish a central AML/CFT database of information collected from supervisory authorities or stemming from the

Authority’s activities, and keep it up to date;

(e) analyse the information collected in the central database and share those analyses with supervisors, supervisory

authorities and non-AML/CFT authorities on a need-to-know and confidential basis;

(f) support the analysis of risks of ML/TF and of non-implementation and evasion of targeted financial sanctions affecting

the internal market, referred to in Article 7 of Directive (EU) 2024/1640;

(g) support, facilitate and strengthen cooperation and exchange of information between obliged entities and supervisors,

supervisory authorities and non-AML/CFT authorities in order to develop a common understanding of ML/TF risks and

threats facing the internal market, including by participating in partnerships for information sharing in the field of

AML/CFT;

(h) issue publications and provide training, as well as other services on demand, in order to raise awareness of, and address,

ML/TF risks;

(i) report to the Commission any instances where the Authority, in the performance of its tasks, discovers that a Member

State has transposed Directive (EU) 2024/1640 incorrectly or incompletely;

(j) undertake any other specific task set out in this Regulation or in the other legislative acts referred to in Article 1(2).

2.

The Authority shall perform the following tasks with respect to selected obliged entities:

(a) ensure compliance of the selected obliged entities with the requirements applicable to them pursuant to Regulation

(EU) 2024/1624 and Regulation (EU) 2023/1113, including obligations related to the implementation of targeted

financial sanctions;

(b) carry out supervisory reviews and assessments at the level of individual entities and at group-wide level in order to

determine whether the internal policies, procedures and controls put in place by the selected obliged entities are

adequate to comply with the requirements applicable to them, and on the basis of those supervisory reviews and

assessments impose specific requirements, apply administrative measures and impose pecuniary sanctions and periodic

penalty payments pursuant to Articles 21, 22 and 23;

(c) participate in group-wide supervision, in particular in AML/CFT supervisory colleges, including where a selected obliged

entity is part of a group that has headquarters, subsidiaries or branches outside the Union;

(d) develop and keep up to date a system to assess the risks and vulnerabilities of the selected obliged entities, in order to

inform the supervisory activities of the Authority and the supervisory authorities, including through the collection of

data from those entities by means of structured questionnaires and other online or offline tools.

3.

The Authority shall perform the following tasks with respect to financial supervisors:

(a) maintain an up-to-date list of financial supervisors within the Union;

(b) carry out periodic assessments to ensure that all financial supervisors have adequate resources, powers and strategies

necessary for the performance of their tasks in the area of AML/CFT, and make the results of such assessments available;

(c) take, in response to a request by financial supervisors for the Authority to assume direct supervision or on the

Authority’s own initiative, appropriate measures in exceptional circumstances requiring the Authority’s intervention

and related to non-selected obliged entities’ compliance or risk exposure;

22/90

EN

OJ L, 19.6.2024

(d) facilitate the functioning of the AML/CFT supervisory colleges in the financial sector;

(e) contribute, in collaboration with financial supervisors, to the convergence of supervisory practices and the promotion

of high supervisory standards in the area of AML/CFT, including in relation to verification of compliance with AML/CFT

requirements related to targeted financial sanctions;

(f) coordinate staff and information exchanges among financial supervisors in the Union in the area of AML/CFT;

(g) provide assistance, in the area of AML/CFT, to financial supervisors, following their specific requests, including requests

to mediate between financial supervisors;

(h) settle, with binding effect, disagreements between financial supervisors concerning the measures to be taken in relation

to an obliged entity, including in the context of AML/CFT supervisory colleges, following a specific request as referred to

in point (g).

4.

The Authority shall perform the following tasks with respect to non-financial supervisors:

(a) maintain an up-to-date list of non-financial supervisors within the Union;

(b) coordinate peer reviews of supervisory standards and practices in the area of AML/CFT;

(c) in the area of AML/CFT, investigate potential breaches or non-application of Union law by non-financial supervisors

and public authorities overseeing self-regulatory bodies, issue recommendations on how to remedy the identified

breaches and, where the supervisors or public authorities do not comply with the recommendations, issue warnings

identifying the measures to be implemented to mitigate the effects of the breach;

(d) carry out periodic reviews to ensure that all non-financial supervisors have adequate resources and powers necessary for

the performance of their tasks in the area of AML/CFT;

(e) contribute to the convergence of supervisory practices and the promotion of high supervisory standards in the area of

AML/CFT;

(f) facilitate the functioning of AML/CFT supervisory colleges in the non-financial sector;

(g) provide assistance to non-financial supervisors, following their specific requests, such as requests to mediate between

non-financial supervisors in the event of a disagreement on the measures to be taken in relation to an obliged entity,

including in the context of AML/CFT supervisory colleges.

Where supervision of specific sectors is delegated at national level to self-regulatory bodies, the Authority shall exercise the

tasks set out in the first subparagraph in relation to supervisory authorities overseeing the activities of those bodies.

5.

The Authority shall perform the following tasks with respect to FIUs and their activities in Member States:

(a) maintain an up-to-date list of FIUs within the Union;

(b) monitor changes in the legal framework of FIUs, as well as in their organisation, focusing on resources for the

performance of their tasks;

(c) support the work of FIUs and contribute to improved cooperation and coordination between FIUs;

(d) contribute to the identification and the selection of relevant cases for the conduct of joint analyses by FIUs;

23/90

EN

OJ L, 19.6.2024

(e) develop appropriate methods and procedures for the conduct of joint analyses by FIUs of cross-border cases;

(f) set up, coordinate, organise and facilitate the conduct of joint analyses carried out by FIUs;

(g) provide assistance to FIUs, upon their specific requests, such as requests for mediation in the case of a disagreement

between FIUs;

(h) conduct peer reviews of the activities of FIUs aimed at strengthening their consistency and effectiveness and identifying

best practices;

(i) develop and make available to FIUs tools and services to enhance their analysis capabilities, as well as IT and artificial

intelligence services and tools for secure information sharing, including by hosting FIU.net;

(j) develop, share and promote expert knowledge on detection, analysis, and dissemination methods of suspicious

transactions;

(k) at the request of FIUs, provide them with specialised training and assistance, including through the provision of

financial support, within the scope of the Authority’s objectives and in accordance with the staffing and budgetary

resources at its disposal;

(l) support, at the request of FIUs, their interaction with obliged entities by providing expert knowledge to obliged entities,

including improving their awareness and procedures to detect suspicious activities and transactions and their reporting

to the FIUs;

(m) prepare and coordinate assessments and strategic analyses of ML/TF threats, risks and methods identified by FIUs.

6.

For the purpose of carrying out the tasks conferred on it by this Regulation, the Authority shall apply all relevant

Union law, and where that Union law is composed of directives, the national legislation transposing those directives. Where

the applicable law is composed of regulations, and where currently those regulations expressly grant options for Member

States, the Authority shall apply also the national legislation exercising those options.

Article 6

Powers of the Authority

1.

With respect to the selected obliged entities, the Authority shall have the supervisory and investigative powers as

specified in Articles 17 to 21 and the power to impose pecuniary sanctions and periodic penalty payments as specified in

Articles 22 and 23.

The Authority shall also have the powers and obligations which financial supervisors have in the area of AML/CFT under

the applicable Union law, unless otherwise provided for by this Regulation.

To the extent necessary to carry out the tasks conferred on it by this Regulation, the Authority may require financial

supervisors, by way of instructions, to make use of their powers in the area of AML/CFT, under and in accordance with the

conditions set out in national law, where this Regulation does not confer such powers on the Authority.

For the purposes of exercising the powers referred to in the first and second subparagraphs, the Authority may issue

binding decisions addressed to individual selected obliged entities. The Authority shall have the power to apply

administrative measures and impose pecuniary sanctions for non-compliance with the decisions taken in the exercise of the

power laid down in Article 21 in accordance with Article 22.

2.

With respect to supervisors and supervisory authorities, the Authority shall have the following powers:

24/90

EN

OJ L, 19.6.2024

(a) to require the submission of information or documents, including written or oral explanations, necessary for the

performance of its functions, including statistical information and information concerning internal processes or

arrangements of national supervisors and supervisory authorities, and to access that information in and extract it from

the common structured questionnaires and other online and offline tools developed by the Authority;

(b) to issue guidelines and recommendations;

(c) to issue requests to act and instructions on measures to be taken in relation to non-selected obliged entities pursuant to

Chapter II, Section 4;

(d) to carry out mediation upon the request of a financial supervisor or of a non-financial supervisor;

(e) upon the request of financial supervisors, to settle, with binding effect, disagreements between financial supervisors,

including in the context of the AML/CFT supervisory colleges.

3.

With respect to FIUs in Member States, the Authority shall have the following powers:

(a) to request non-operational data and analyses from FIUs, where they are necessary for the assessment of threats,

vulnerabilities and risks facing the internal market in relation to ML/TF;

(b) to collect information and statistics in relation to the tasks and activities of FIUs;

(c) to obtain and process information and data required for initiating, conducting and coordinating joint analyses as

specified in Article 40;

(d) to issue guidelines and recommendations.

4.

For the purposes of carrying out the tasks set out in Article 5(1), the Authority shall have the following powers:

(a) to develop draft regulatory technical standards in accordance with Article 49;

(b) to develop draft implementing technical standards in accordance with Article 53;

(c) to issue guidelines and recommendations, as provided for in Article 54;

(d) to provide opinions to the European Parliament, to the Council and to the Commission, as provided for in Article 55.

SECTION 2

AML/CFT supervisory system

Article 7

Cooperation within the AML/CFT supervisory system

1.

2.

The Authority shall be responsible for the effective and consistent functioning of the AML/CFT supervisory system.

The Authority and the supervisory authorities shall be subject to a duty of cooperation in good faith, and to an

obligation to exchange information for AML/CFT purposes in accordance with this Regulation, Regulation (EU) 2023/1113,

Regulation (EU) 2024/1624 and Directive (EU) 2024/1640.

3.

At the request of the Authority, supervisory authorities shall provide the Authority with all information concerning

obliged entities that remain directly supervised at national level which is necessary for the fulfilment of Authority’s tasks

pursuant to Article 5(1), (3) and (4), where the supervisory authorities have legal access to such information.

25/90

EN

OJ L, 19.6.2024

Supervisory authorities shall assist the Authority in identifying and taking into account the specificities of their

4.

respective national legal frameworks, in particular where the Authority is applying national legislation transposing Union

law as referred to in Article 1(2).

Article 8

AML/CFT supervisory methodology

1.

In cooperation with the supervisory authorities, the Authority shall develop and maintain an up-to-date and

harmonised AML/CFT supervisory methodology detailing the risk-based approach to supervision of obliged entities in the

Union. That methodology shall comprise guidelines, recommendations, opinions and other measures and instruments as

appropriate, including in particular regulatory and implementing technical standards, on the basis of the empowerments

laid down in the acts referred to in Article 1(2).

2.

When developing the supervisory methodology, the Authority shall distinguish between obliged entities, including on

the basis of their activities and the type and nature of the ML/TF risks to which they are exposed. The supervisory

methodology shall be risk-based and contain at least the following elements:

(a) benchmarks and a methodology for classification of obliged entities into risk categories on the basis of their residual

risk profile, separately for each category of obliged entities;

(b) approaches to supervisory review of ML/TF risk self-assessments of obliged entities;

(c) approaches to supervisory review of obliged entities’ internal policies and procedures, including their customer due

diligence policies and procedures, in line with a risk-based approach to the prevention of ML/TF;

(d) approaches to supervisory evaluation of risk factors inherent in, or related to, customers, business relationships,

transactions and delivery channels of obliged entities, as well as geographical risk factors.

3.

The Authority shall develop structured questionnaires and other online or offline tools to be used by the Authority

and supervisors for the purposes of requesting, collecting, compiling and analysing data and information from obliged

entities, including the data to be relied upon in application of the elements of the supervisory methodology listed in

paragraph 2.

The tools developed by the Authority shall ensure the collection of objective and comparable AML/CFT-related data and

information from obliged entities and enable an efficient and speedy exchange of information between supervisors and the

Authority.

The Authority shall endeavour to develop those tools as soon as the supervisory methodology is applicable across the entire

AML/CFT supervisory system.

4.

The supervisory methodology shall reflect high supervisory standards at Union level and shall build on relevant

international standards and guidance. The Authority shall periodically review and update its supervisory methodology,

taking into account the evolution of risks affecting the internal market, including risks and threats identified by national law

enforcement authorities and FIUs. The supervisory methodology shall, to the extent possible, take into account best

practices and guidance developed by international standard setters.

Article 9

Thematic reviews

1.

No later than 1 December each year, supervisory authorities shall provide information to the Authority on

supervisory reviews which they intend to carry out, on a thematic basis, during the following year or supervisory term and

which aim to assess ML/TF risks or a specific aspect of such risks to which multiple obliged entities are exposed at the same

time. The following information shall be provided:

(a) the scope of each planned thematic review in terms of category and number of obliged entities included and the subject

matter of the review;

26/90

EN

OJ L, 19.6.2024

(b) the timeframe of each planned thematic review;

(c) the planned types, nature and frequency of supervisory activities to be performed in relation to each thematic review,

including any on-site inspections or other types of direct interaction with obliged entities, where applicable.

2.

By the end of each year, the Chair of the Authority shall present to the General Board in supervisory composition as

referred to in Article 57(2) a consolidated planning of the thematic reviews that supervisory authorities intend to carry out

during the following year.

3.

Where the scope and Union-wide relevance of thematic reviews justify coordination at Union level, they shall be

carried out jointly by the relevant supervisory authorities and shall be coordinated by the Authority. The Executive Board

may propose joint thematic reviews based on the available analyses of threats, vulnerabilities and risks in the internal

market. The General Board in supervisory composition shall draw up a list of joint thematic reviews. The General Board in

supervisory composition shall draw up a report relating to the conduct, subject matter and outcome of each joint thematic

review. The Authority shall publish that report on its website.

4.

The Authority shall coordinate the activities of the supervisory authorities and facilitate the planning and execution of

the joint thematic reviews referred to in paragraph 3. Any direct interaction with obliged entities other than the selected

obliged entities in the context of any thematic review shall remain under the exclusive responsibility of the supervisory

authority responsible for supervision of those obliged entities and shall not be construed as a transfer of tasks and powers

related to those entities within the AML/CFT supervisory system.

5.

Where planned thematic reviews at national level are not subject to a coordinated approach at the level of the Union,

the Authority shall, jointly with the supervisory authorities, explore the need for and the possibility of aligning or

synchronising the timeframe of those thematic reviews, and shall facilitate information exchange and mutual assistance

between supervisory authorities carrying out those thematic reviews. The Authority shall also facilitate any activities that

the relevant supervisory authorities may wish to carry out jointly or in a similar manner in the context of their respective

thematic reviews.

6.

The Authority shall ensure that the outcomes and conclusions of the thematic reviews conducted at national level by

several supervisory authorities are shared with all supervisory authorities, with the exception of confidential information

pertaining to individual obliged entities. Such sharing of information shall include any common conclusions resulting from

exchanges of information or from joint or coordinated activities involving several supervisory authorities.

Article 10

Mutual assistance in the AML/CFT supervisory system

1.

The Authority may, as appropriate, develop:

(a) new practical instruments and convergence tools to promote common supervisory approaches and best practices;

(b) practical tools and methods for mutual assistance following:

(i) specific requests from supervisory authorities;

(ii) referral of disagreements between supervisory authorities on the measures to be taken jointly by several supervisory

authorities in relation to an obliged entity.

2.

The Authority shall facilitate and encourage at least the following activities:

(a) sectoral and cross-sectoral training programmes, including with respect to technological innovation;

(b) exchanges of staff and the use of secondment schemes, twinning and short-term visits;

(c) exchanges of supervisory best practices between supervisory authorities where one authority has developed expertise in

a specific area of AML/CFT supervisory practices.

27/90

EN

OJ L, 19.6.2024

Each supervisory authority may submit a request for mutual assistance related to its supervisory tasks to the

3.

Authority, specifying the type of assistance it seeks from the staff of the Authority, the staff of one or more supervisory

authorities, or a combination thereof. If the request concerns activities that relate to the supervision of specific obliged

entities, the requesting supervisory authority shall transmit to the Authority the information and data necessary for the

provision of assistance. The Authority shall keep and regularly update the information on specific areas of expertise and on

the capacities of supervisory authorities to provide mutual assistance related to their supervisory tasks.

4.

Where the Authority is requested to provide assistance for the performance of specific supervisory tasks at national

level in relation to obliged entities other than selected obliged entities, the requesting supervisory authority shall detail, in its

request, the tasks for which support is sought. The assistance shall not be construed as the transfer, from the requesting

supervisory authority to the Authority, of supervisory tasks, powers, or accountability for the supervision of obliged entities

other than selected obliged entities.

5.

Where the Authority is of the opinion that the request is appropriate and feasible, it shall make every effort to provide

the requested assistance, including by mobilising its own human resources as well as by ensuring that supervisory

authorities mobilise resources on a voluntary basis.

6.

By the end of each year, the Chair of the Authority shall inform the General Board in supervisory composition of the

human resources that the Authority will allocate to providing the assistance requested under paragraph 3 of this Article

during the following year. Where the availability of human resources changes due to the performance of any of the tasks

referred to in Article 5(2), (3) and (4), the Chair of the Authority shall inform the General Board in supervisory composition

thereof.

7.

Any interaction between the staff of the Authority and the obliged entity shall remain under the exclusive

responsibility of the supervisory authority responsible for the supervision of that entity. Such interaction shall not be

construed as a transfer of tasks or powers related to individual obliged entities within the AML/CFT supervisory system.

Article 11

Central AML/CFT database

1.

The Authority shall establish and keep up to date a central database of information pursuant to this Article.

The Authority shall make the information available to supervisory authorities, non-AML/CFT authorities, other national

authorities and bodies competent for ensuring compliance with Directive 2008/48/EC of the European Parliament and of

the Council (²⁸), Directive 2009/110/EC of the European Parliament and of the Council (²⁹), Directive 2009/138/EC of the

European Parliament and of the Council (³⁰), Directive 2014/17/EU of the European Parliament and of the Council (³¹),

Regulation (EU) No 537/2014 of the European Parliament and of the Council (³²), Directive 2014/56/EU of the European

Parliament and of the Council (³³), Directive 2014/65/EU of the European Parliament and of the Council (³⁴) or Directive

(EU) 2015/2366 of the European Parliament and of the Council (³⁵), and to the European Supervisory Authorities, namely,

28

Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and

repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).

Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and

prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and

repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7).

Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the

business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1).

Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers

relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation

(EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34).

Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding

statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC (OJ L 158, 27.5.2014, p. 77).

Directive 2014/56/EU of the European Parliament and of the Council of 16 April 2014 amending Directive 2006/43/EC on

statutory audits of annual accounts and consolidated accounts (OJ L 158, 27.5.2014, p. 196).

Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and

amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal

market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing

Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).

28/90

EN

OJ L, 19.6.2024

the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance

and Occupational Pensions Authority (EIOPA) (collectively, ‘the ESAs’), on a need-to-know and confidential basis, where it is

necessary for the fulfilment of their tasks.

The Authority shall also analyse the collected information and may share the results of its analysis on its own initiative with

supervisory authorities, where to do so would facilitate their supervisory activities, and, where relevant, with obliged

entities.

2.

The supervisory authorities shall transmit to the Authority at least the following information, including the data

related to individual obliged entities, so that the Authority enters that information into the database:

(a) a list of all supervisory authorities and self-regulatory bodies in their Member State entrusted with the supervision of

obliged entities, including information about their mandate, tasks and powers and, where applicable, the identification

of the leading supervisor or coordination mechanism;

(b) statistical information about the categories and the number of supervised obliged entities per category in their Member

State and basic information about the risk profile of those entities;

(c) the administrative measures applied and pecuniary sanctions imposed in the course of supervision of individual obliged

entities in response to breaches of AML/CFT requirements, accompanied by:

(i) the grounds for applying the administrative measure or imposing the pecuniary sanction, such as the nature of the

breach;

(ii) related information on the supervisory activities and outcomes which led to the administrative measure being

applied or the pecuniary sanction being imposed;

(d) any advice or opinion related to ML/TF risks provided to other authorities in relation to authorisation procedures,

withdrawal of authorisation procedures, and ‘fit and proper’ assessments of shareholders or members of the

management body of individual obliged entities;

(e) the outcomes of their assessments of the inherent and residual risk profiles of all credit institutions and financial

institutions that meet the criteria set out in Article 12(1);

(f) the outcomes and reports of thematic reviews and other horizontal supervisory actions with regard to high-risk areas or

activities;

(g) information regarding the supervisory activities they performed over the past calendar year, gathered pursuant to

Article 40(5) of Directive (EU) 2024/1640;

(h) statistical information about staffing and other resources of supervisors and supervisory authorities.

The information provided pursuant to the first subparagraph shall not include references to specific suspicions reported

pursuant to Article 69 of Regulation (EU) 2024/1624.

The Authority shall also enter into the database the information stemming from its activities in the area of direct

supervision which corresponds to the categories of information listed in the first subparagraph, as well as the outcomes of

the risk assessment process carried out by the Authority pursuant to Article 12.

3.

The Authority may request supervisory authorities to provide other information in addition to that referred to in

paragraph 2. The supervisory authorities shall update any provided information as soon as the update is necessary or at the

Authority’s request.

4.

The Authority shall enter into the database any data or information relevant for the purposes of AML/CFT supervisory

activities which is provided by non-AML/CFT authorities, other national authorities and bodies competent for ensuring

compliance with the requirements of Directive 2008/48/EC, Directive 2009/110/EC, Directive 2009/138/EC, Directive

2014/17/EU, Regulation (EU) No 537/2014, Directive 2014/56/EU, Directive 2014/65/EU or Directive (EU) 2015/2366, or

by the ESAs.

The information referred to in the first subparagraph shall include instances where the authorities and bodies referred to in

that subparagraph have reasonable grounds to suspect that ML/TF is being attempted or committed or that an increased risk

thereof exists in connection with an obliged entity, and where such reasonable grounds arose in the context of the exercise

29/90

EN

OJ L, 19.6.2024

of their respective tasks. The database shall also include relevant information which authorities or bodies supervising credit

institutions in accordance with Directive 2013/36/EU of the European Parliament and of the Council (³⁶), including the ECB

when acting in accordance with Regulation (EU) No 1024/2013, have obtained, in the context of ongoing supervision,

including information on business model assessments, assessments of governance arrangements, authorisation procedures,

assessments of acquisitions of qualifying holdings, ‘fit and proper’ assessments and procedures related to the withdrawal of

licences.

5.

The authorities and bodies referred to in paragraph 1, second subparagraph, may address to the Authority a reasoned

request for information collected pursuant to this Article, if that information is necessary for their supervisory activities.

The Authority shall assess those requests and provide the information requested on a need-to-know and confidential basis

and in a timely manner. The Authority shall inform the authority or body that has initially provided the requested

information of the identity of the requesting authority or body, the identity of any obliged entity concerned, the reason for

the information request as well as whether the information has been provided to the requesting authority or body. Where

the Authority decides not to provide the requested information, it shall provide a reasoned justification for that decision.

6.

The Authority shall develop draft regulatory technical standards specifying:

(a) the procedure, formats and timelines for the transmission of information pursuant to paragraphs 2 and 3;

(b) the scope and level of detail of the information to be transmitted, taking into account relevant distinctions between

obliged entities, such as their risk profile;

(c) the scope and level of detail of the information to be transmitted in relation to obliged entities in the non-financial

sector;

(d) the type of information the disclosure of which by the Authority, pursuant to a reasoned request or at its own initiative,

requires the prior consent of the supervisory authority that originated it;

(e) which level of materiality a breach needs to have in order for a supervisory authority to be obliged to transmit

information on the breach pursuant to paragraph 2, point (c);

(f) the conditions under which the Authority may request additional information pursuant to paragraph 3;

(g) the types of additional information to be transmitted to the Authority pursuant to paragraph 3.

The Authority shall submit those draft regulatory technical standards to the Commission by 27 December 2025.

The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in

the first subparagraph in accordance with Article 49 of this Regulation.

7.

Personal data collected in accordance with this Article may be kept in an identifiable form for a period of up to 10

years after the date of collection of the data by the Authority, at the end of which those data shall be deleted. Based on

a regular assessment of their necessity, personal data may be deleted before the expiry of that period on a case-by-case basis.

36

Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions

and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives

2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

30/90

EN

OJ L, 19.6.2024

SECTION 3

Direct supervision of selected obliged entities

Article 12

Assessment of credit institutions and financial institutions for the purposes of selection for direct supervision

1.

For the purposes of carrying out the tasks listed in Article 5(2), the Authority, in collaboration with financial

supervisors, shall carry out a periodic assessment of credit institutions and financial institutions, and groups of credit

institutions and financial institutions, where they operate, whether through establishments or under the freedom to provide

services, in at least six Member States, including the home Member State, regardless of whether the activities are carried out

through infrastructure on the territory concerned or remotely.

2.

The supervisory authorities, and the obliged entities subject to periodic assessment, shall supply the Authority with

any information necessary to carry out the periodic assessment referred to in paragraph 1.

3.

The inherent and residual risk profiles of an obliged entity assessed pursuant to paragraph 1 shall be classified by the

Authority as low, medium, substantial or high, based on the benchmarks and following the methodology set out in the

regulatory technical standards referred to in paragraph 7. Where the assessed obliged entity is part of a group of credit

institutions or financial institutions, the risk profile shall be classified at group-wide level.

4.

The methodology for classifying inherent and residual risk profiles shall be established separately for at least the

following categories of obliged entities:

(a) credit institutions;

(b) bureaux de change;

(c) collective investment undertakings;

(d) credit providers other than credit institutions;

(e) e-money institutions;

(f) investment firms;

(g) payment institutions;

(h) life insurance undertakings;

(i) life insurance intermediaries;

(j) crypto-asset service providers;

(k) other financial institutions.

5.

For each category of obliged entities referred to in paragraph 4, the benchmarks for the assessment of inherent risk in

the assessment methodology shall be based on the risk factor categories related to customers, products, services,

transactions, delivery channels and geographical areas. The benchmarks shall be established for at least the following

indicators of inherent risk in any Member State in which the obliged entities operate:

(a) with respect to customer-related risk: the share of non-resident customers from third countries identified pursuant to

Chapter III, Section 2, of Regulation (EU) 2024/1624 and the presence and share of customers identified as politically

exposed persons;

(b) with respect to products and services offered:

(i) the significance and the trading volume of products and services identified as the most vulnerable to ML/TF risks

either at the level of the internal market, in the risk assessment at Union level, or at the level of the country, in the

national risk assessment;

31/90

EN

OJ L, 19.6.2024

(ii) for money remittance service providers, the significance of the aggregate annual emission and reception activities of

each remitter in the countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624;

(iii) the relative volume of products, services and transactions that offer a considerable level of protection of clients’

privacy and identity or other form of anonymity;

(c) with respect to geographical areas:

(i) the annual volume of correspondent banking services and correspondent crypto-asset services, provided by Union

financial sector entities in third countries identified pursuant to Chapter III, Section 2, of Regulation

(EU) 2024/1624;

(ii) the number and share of correspondent banking clients and crypto-asset clients in third countries identified

pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624.

6.

For each category of obliged entity referred to in paragraph 4, the assessment of residual risk in the assessment

methodology shall include benchmarks for the assessment of the quality of internal policies, controls and procedures put in

place by obliged entities to mitigate their inherent risk.

7.

The Authority shall develop draft regulatory technical standards specifying:

(a) the minimum activities to be carried out by a credit institution or a financial institution under the freedom to provide

services, whether through infrastructure or remotely, for it to be considered as operating in a Member State other than

that where it is established;

(b) the methodology based on the benchmarks referred to in paragraphs 5 and 6 for classifying the inherent and residual

risk profiles of credit institutions or financial institutions, or groups of credit institutions or financial institutions, as

low, medium, substantial or high.

The Authority shall submit those draft regulatory technical standards to the Commission by 1 January 2026.

The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in

the first subparagraph in accordance with Article 49 of this Regulation.

8.

The Authority shall review the benchmarks and methodology at least every three years. Where amendments are

required, the Authority shall submit amended draft regulatory technical standards to the Commission.

Article 13

The listing of selected obliged entities

1.

Credit institutions and financial institutions, and groups of credit institutions and financial institutions, whose residual

risk profile has been classified as high pursuant to Article 12 shall qualify as selected obliged entities.

2.

However, where more than 40 entities are identified pursuant to paragraph 1, the Authority may, in consultation with

the supervisory authorities, agree on limiting the selection to a specific different number of entities or groups that is greater

than 40.

In deciding on a specific different number of selected obliged entities as referred to in the first subparagraph, the Authority

shall take into account its own resources in terms of its capacity to allocate or additionally hire the necessary number of

supervisory and support staff and shall ensure that the required increase in the financial and human resources is feasible.

Pursuant to the decision on the maximum number, the selected obliged entities shall be those obliged entities qualifying

under paragraph 1 which are operating in the highest number of Member States whether through establishments or under

the freedom to provide services.

Where the application of the criterion referred to in the third subparagraph yields more than the set maximum number of

selected obliged entities, the Authority shall select, from the obliged entities that would be selected in accordance with that

subparagraph and that operate in the smallest number of Member States, those which have the highest ratio of the volume

of transactions with third countries to the total volume of transactions measured over the last financial year.

32/90

EN

OJ L, 19.6.2024

3.

Where in a Member State no credit institution, financial institution or group of credit institutions or financial

institutions which is established, authorised or registered, or has a subsidiary there and whose risk profile is classified as

high, qualifies as a selected obliged entity pursuant to paragraphs 1 and 2 of this Article, the Authority shall carry out an

additional selection process in that Member State, on the basis of the methodology referred to in Article 12(7), point (b).

Following the additional selection process, the credit institution, financial institution or group of credit institutions or

financial institutions, established or registered in that Member State whose risk profile is classified as high, shall qualify as

a selected obliged entity.

Where several credit institutions or financial institutions, or groups of credit institutions or financial institutions, in the

Member State in question have a risk profile that is classified as high, the entity operating in the highest number of Member

States whether through establishments or under the freedom to provide services shall qualify as the selected obliged entity.

If several credit institutions or financial institutions, or groups of credit institutions or financial institutions, operate in the

same number of Member States, the entity with the highest ratio of transaction volume with third countries to total

transaction volume measured over the last financial year shall qualify as a selected obliged entity.

4.

The Authority shall commence the first selection process by 1 July 2027 and shall conclude the selection within six

months of the date of commencement. Subsequently, the selection process shall be carried out every three years after the

date of commencement of the first selection, and shall be concluded within six months for each selection process. The list of

the selected obliged entities shall be published by the Authority without undue delay upon completion of the selection

process. The Authority shall commence direct supervision of the selected obliged entities six months after publication of

the list.

5.

Prior to the publication of the list of the selected obliged entities, the Authority shall inform the relevant

non-AML/CFT authorities of the outcomes of the process of assessment and classification of inherent and residual risk of

the obliged entities subject to assessment.

6.

A selected obliged entity shall remain subject to direct supervision by the Authority until the Authority commences

the direct supervision of selected obliged entities based on a list established for the subsequent selection period which no

longer includes that obliged entity.

Article 14

Additional transfer of direct supervision tasks and powers in exceptional circumstances upon the request of

a financial supervisor

1.

A financial supervisor may submit a reasoned request to the Authority for the Authority to assume direct supervision

and carry out the tasks listed in Article 5(2) with respect to a particular non-selected obliged entity.

The request referred to in the first subparagraph shall only be submitted in exceptional circumstances with the aim of

addressing at Union level a heightened ML/TF risk or compliance failures at a non-selected obliged entity and to ensure

a consistent application of high supervisory standards.

2.

The request referred to in paragraph 1 shall:

(a) identify the non-selected obliged entity in respect of which the financial supervisor is of the view that the Authority

should assume direct supervision;

(b) state the reasons for which AML/CFT direct supervision of the non-selected obliged entity is necessary;

(c) identify and duly justify the proposed transfer date and the period for which the transfer of the tasks and powers is

requested; and

(d) provide all necessary supporting information, data and evidence that could be useful for the assessment of the request.

3.

The financial supervisor’s request shall be accompanied by a report indicating the supervisory history and risk profile

of the non-selected obliged entity concerned. The non-selected obliged entity shall be informed of the request and the

timeline proposed therein.

33/90

EN

OJ L, 19.6.2024

The Authority shall assess the request referred to in paragraph 1 within two months, or within a timeframe that

4.

allows the transfer of tasks and powers by the date proposed in the request, whichever is longer. The Authority shall only

agree to the requested transfer of direct supervision where at least one of the following conditions is met:

(a) the requesting supervisor can demonstrate the inefficacy of supervisory measures imposed on the non-selected obliged

entity in relation to serious, repeated or systematic breaches of applicable requirements;

(b) the heightened ML/TF risk or the serious, repeated or systematic breaches of applicable requirements affect several

entities within a non-selected obliged entity group, and the relevant financial supervisors agree that coordinated

supervisory action at Union level would be more effective to address them;

(c) the request concerns a temporary, objective and demonstrable lack of capacity at the level of the financial supervisor to

adequately and timely address the ML/TF risk of a non-selected obliged entity.

5.

Where the Executive Board of the Authority finds that the conditions set out in paragraphs 1, 2 and 4 have been

fulfilled, it shall adopt a decision addressed to the requesting financial supervisor and to the non-selected obliged entity

concerned notifying them of the acceptance of the request. The decision shall specify the date on which the Authority is to

assume direct supervision and the duration of such supervision. As of the date on which the Authority is to assume direct

supervision, the non-selected obliged entity concerned shall be deemed a selected obliged entity for the purposes of this

Regulation.

Upon the end of the duration of the direct supervision by the Authority, set out in the decision referred to in the first

subparagraph, the tasks and powers related to the direct supervision of the obliged entity concerned shall automatically be

transferred back to the financial supervisor, unless the Authority extends the application of that decision following

a corresponding request made by the financial supervisor in accordance with paragraphs 1 to 4.

6.

Where the Executive Board of the Authority refuses the financial supervisor’s request, it shall provide the reasons

thereof in writing, clearly indicating which conditions laid down in paragraphs 1, 2 and 4 have not been met. The Authority

shall consult the financial supervisor prior to taking a decision and shall ensure that the non-selected obliged entity is

informed of the outcome of the process.

Article 15

Cooperation within the AML/CFT supervisory system for the purposes of direct supervision

1.

Without prejudice to the Authority’s power pursuant to Article 21(3), point (a), to receive directly, or have direct

access to, information reported on an ongoing basis by selected obliged entities, financial supervisors shall provide the

Authority with all information necessary for carrying out the tasks conferred on the Authority in accordance with this

Regulation and other applicable Union law.

2.

Where appropriate, financial supervisors shall assist the Authority with the preparation and implementation of any

acts relating to the tasks referred to in Article 5(2), point (b), as regards all selected obliged entities, including assistance in

verification activities. They shall follow the instructions given by the Authority when performing those tasks.

3.

The Authority shall develop implementing technical standards specifying:

(a) the conditions under which financial supervisors are to assist the Authority pursuant to paragraph 2;

(b) the process of periodic assessment referred to in Article 12(1), including the roles of the supervisory authorities and the

Authority in assessing the risk profile of credit institutions and financial institutions referred to in that paragraph;

(c) the working arrangements for the transfer of supervisory tasks and powers to the Authority or from the Authority to

national level following a selection process, including arrangements on the continuity of pending supervisory

procedures or investigations;

(d) the procedures for the preparation and adoption of decisions on the selection of obliged entities;

34/90

EN

OJ L, 19.6.2024

(e) the detailed rules and arrangements for the composition and functioning of the joint supervisory teams referred to in

Article 16(1) and (2).

The Authority shall submit those draft implementing technical standards to the Commission by 1 January 2026.

The Commission is empowered to adopt the implementing technical standards referred to in the first subparagraph in

accordance with Article 53.

Article 16

Joint supervisory teams

1.

A joint supervisory team shall be established for the supervision of each selected obliged entity. Each joint supervisory

team shall be composed of staff from the Authority and from the financial supervisors responsible for supervision of the

selected obliged entity at national level. The members of the joint supervisory team shall be appointed in accordance with

paragraph 4 and shall work under the coordination of a designated staff member from the Authority (‘JST coordinator’).

2.

The JST coordinator shall ensure the coordination of the work within the joint supervisory team. Joint supervisory

team members shall follow the JST coordinator’s instructions as regards their tasks in the joint supervisory team. This shall

be without prejudice to their tasks and duties within their respective financial supervisors.

Each financial supervisor that appoints more than one staff member to the joint supervisory team pursuant to paragraph 4

may designate one of them as sub-coordinator (‘national sub-coordinator’). The national sub-coordinators shall assist the

JST coordinator as regards the organisation and coordination of the tasks in the joint supervisory team, in particular as

regards the staff members that were appointed by the same financial supervisor as the relevant national sub-coordinator.

The national sub-coordinator may give instructions to the members of the joint supervisory team appointed by the same

financial supervisor, provided that those instructions do not conflict with the instructions given by the JST coordinator.

3.

The tasks of a joint supervisory team shall include the following:

(a) performing the supervisory reviews and assessments of the selected obliged entities;

(b) coordinating on-site inspections of selected obliged entities and preparing supervisory measures where necessary;

(c) participating in the preparation of draft decisions applicable to the respective selected obliged entity to be proposed to

the General Board and Executive Board, taking into account the reviews, assessments and on-site inspections referred to

in points (a) and (b);

(d) liaising with financial supervisors where that is necessary to exercise supervisory tasks in any Member State where

a selected obliged entity is established.

4.

The Authority shall be responsible for the establishment and the composition of joint supervisory teams. The

Authority and the financial supervisors concerned shall appoint one or more persons from their staff as a member or

members of a joint supervisory team. A member may be appointed as a member of more than one joint supervisory team.

5.

The Authority and financial supervisors shall consult each other and agree on the use of staff with regard to the joint

supervisory teams.

6.

The Authority shall develop internal operational rules and procedures regarding the composition of joint supervisory

teams, notably with regard to staff from each financial supervisor, the status of staff from financial supervisors and the

allocation of human resources by the Authority to the joint supervisory teams, which shall ensure that those teams are

composed of staff with a sufficient level of knowledge, expertise and experience, and with sufficiently diverse knowledge,

backgrounds, expertise and experience.

35/90

EN

OJ L, 19.6.2024

Article 17

Requests for information

1.

The Authority may require selected obliged entities and natural persons employed by them or legal persons belonging

to them, and third parties to whom the selected obliged entities have outsourced operational functions or activities and

natural or legal persons affiliated to them, to provide it with all information it needs in order to carry out the tasks

conferred on it by this Regulation and other applicable Union law.

2.

The persons referred to in paragraph 1 or their representatives and, in the case of legal persons or associations having

no legal personality, the persons authorised to represent them by law or by their constitution, shall supply the requested

information without undue delay, ensuring that it is clear, accurate and complete. Lawyers duly authorised to act may

supply the information on behalf of their clients. Those clients shall remain fully responsible where the information

supplied is incomplete, incorrect or misleading.

3.

Where the Authority obtains the information requested pursuant to paragraph 1, it shall make that information

available to the financial supervisor concerned.

Article 18

General investigations

1.

In order to carry out the tasks conferred on it by this Regulation, the Authority may conduct all necessary

investigations of any selected obliged entity or any natural person employed by it or any legal person belonging to it,

established or located in a Member State.

To that end, the Authority may:

(a) require the submission of documents;

(b) examine the books and records of the persons concerned and take copies or extracts from the books and records;

(c) obtain access to internal audit reports, certification of accounts, and any software, databases, IT tools or other electronic

means of recording information;

(d) obtain access to documents and information relating to decision-making processes, including those developed by

algorithms or other digital processes;

(e) obtain written or oral explanations from any person referred to in Article 17 or their representatives or staff;

(f) interview any other person who consents to being interviewed for the purpose of collecting information relating to the

subject matter of an investigation.

2.

The persons referred to in Article 17 shall be subject to investigations launched on the basis of a decision of the

Authority. When a person obstructs the conduct of the investigation, the financial supervisor of the Member State where

the relevant premises are located shall provide, in compliance with national law, the necessary assistance, including

facilitating the access by the Authority to the business premises of the natural and legal persons referred to in Article 17, so

that the powers listed in paragraph 1 of this Article can be exercised.

Article 19

On-site inspections

1.

In order to carry out the tasks conferred on it by this Regulation, the Authority may, subject to prior notification of

the financial supervisor concerned, conduct all necessary on-site inspections at the business premises of the natural and

legal persons referred to in Article 17. With respect to natural persons whose business premises are the same as their

private residence, the Authority shall seek and obtain judicial authorisation for an on-site inspection. Where the proper

conduct and efficiency of the inspection so require, the Authority may carry out the on-site inspection without prior

announcement to those natural and legal persons.

36/90

EN

OJ L, 19.6.2024

2.

The Authority may decide to entrust the performance of on-site inspections to a joint supervisory team in accordance

with Article 16 or to a dedicated team, which could include joint supervisory team members where applicable. The

Authority shall be responsible for the establishment and composition of the on-site inspection teams, which shall be done

in cooperation with the financial supervisors.

3.

The staff of the Authority and other persons authorised by the Authority to conduct an on-site inspection may enter

any business premises and land of the natural or legal persons subject to a decision on investigation adopted by the

Authority and, as regards natural persons whose business premises are the same as their private residence, upon obtaining

a judicial authorisation for an on-site inspection pursuant to paragraph 1 of this Article. The staff of the Authority and

other persons authorised by the Authority shall have the powers provided for in Article 21.

4.

The natural and legal persons referred to in Article 17 shall be subject to on-site inspections on the basis of a decision

of the Authority.

5.

Staff and other accompanying persons authorised or appointed by the financial supervisor of the Member State where

the inspection is to be conducted shall, under the supervision and coordination of the Authority, actively assist the staff of

and other persons authorised by the Authority. To that end, they shall enjoy the powers set out in paragraph 3. Staff of

financial supervisors of the Member State concerned shall also have the right to participate in the on-site inspections.

6.

Where a person opposes the conduct of an on-site inspection ordered pursuant to this Article, the financial supervisor

of the Member State concerned shall provide the necessary assistance in accordance with national law. To the extent

necessary for the inspection, such assistance shall include the sealing of any business premises and books or records. Where

that power is not available to the financial supervisor concerned, it shall use its powers to request the necessary assistance

of other national authorities.

Article 20

Authorisation by a judicial authority

1.

If an on-site inspection provided for in Article 19 requires authorisation by a judicial authority in accordance with

national law, the Authority shall apply for such an authorisation.

2.

Where an authorisation as referred to in paragraph 1 is applied for, the national judicial authority shall verify that the

decision of the Authority is authentic and that the coercive measures envisaged are neither arbitrary nor excessive having

regard to the subject matter of the inspection. In its control of the proportionality of the coercive measures, the national

judicial authority may ask the Authority for detailed explanations, in particular relating to the grounds the Authority has for

suspecting that an infringement of the acts referred to in Article 1(2) has taken place, the seriousness of the suspected

infringement and the nature of the involvement of the person subject to the coercive measures. However, the national

judicial authority shall not review the necessity for the inspection or demand to be provided with the information on the

Authority’s file. The lawfulness of the Authority’s decision shall be subject to review only by the Court of Justice of the

European Union.

Article 21

Administrative measures

1.

For the purpose of carrying out its tasks referred to in Article 5(2), the Authority shall have the power to apply the

administrative measures set out in paragraphs 2 and 3 of this Article to require any selected obliged entity to take the

necessary measures where:

(a) the selected obliged entity is found to be in breach of the Union acts and national legislation referred to in Article 1(2);

(b) the Authority has sufficient and demonstrable indications that the selected obliged entity is likely to breach the Union

acts and national legislation referred to in Article 1(2) and the application of an administrative measure can prevent the

occurrence of the breach or reduce the risk thereof;

(c) based on a duly justified determination by the Authority, the internal policies, procedures and controls in place in the

selected obliged entity are not commensurate to the risks of money laundering, its predicate offences or terrorist

financing to which the selected obliged entity is exposed.

37/90

EN

OJ L, 19.6.2024

2.

For the purposes of Article 6(1), the Authority shall have, in particular, the power to apply the following

administrative measures:

(a) issue recommendations;

(b) order obliged entities to comply, including to implement specific corrective measures;

(c) issue a public statement which identifies the natural or legal person and the nature of the breach;

(d) issue an order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;

(e) restrict or limit the business, operations or network of institutions comprising the selected obliged entity, or require the

divestment of activities;

(f) require changes in the governance structure;

(g) where a selected obliged entity is subject to authorisation, propose the withdrawal or suspension of that authorisation

to the authority that has granted it; where the authority which has granted that authorisation does not follow the

Authority’s proposal to suspend or withdraw, the Authority shall request it to provide the reasons thereof in writing.

3.

By means of the administrative measures referred to in paragraph 2, the Authority may in particular:

(a) require the provision of any data or information necessary for the fulfilment of tasks listed in Article 5(2) without

undue delay, require the submission of any document, or impose additional or more frequent reporting requirements;

(b) require the reinforcement of the internal policies, procedures and controls;

(c) require the application of a specific policy or requirements relating to categories of, or individual, clients, transactions,

activities or delivery channels that pose high ML/TF risks;

(d) require the implementation of measures to decrease the ML/TF risks in the activities and products of selected obliged

entities;

(e) temporarily ban any person exercising managerial responsibilities in the selected obliged entity, or any other natural

person held responsible for the breach, from exercising managerial functions in obliged entities.

4.

The administrative measures referred to in paragraph 2 shall be accompanied, where relevant, by binding deadlines

for their implementation. The Authority shall follow up and assess the implementation by the selected obliged entity of the

actions requested.

5.

Financial supervisors shall notify the Authority without undue delay where they become aware of one or more

indications that a selected obliged entity has breached Regulation (EU) 2023/1113 or Regulation (EU) 2024/1624.

6.

The administrative measures applied shall be effective, proportionate and dissuasive.

Article 22

Pecuniary sanctions

1.

For the purpose of carrying out the tasks conferred on it by this Regulation, the Authority may impose pecuniary

sanctions where a selected obliged entity breaches, whether intentionally or negligently, a requirement of Regulation

(EU) 2023/1113 or Regulation (EU) 2024/1624, or does not comply with a binding decision referred to in Article 6(1) of

this Regulation.

38/90

EN

OJ L, 19.6.2024

2.

Where the Executive Board of the Authority finds that a selected obliged entity has, intentionally or negligently,

committed a serious, repeated or systematic breach of directly applicable requirements contained in Regulation

(EU) 2023/1113 or Regulation (EU) 2024/1624, it shall adopt a decision imposing pecuniary sanctions, in accordance with

paragraph 3 of this Article. The pecuniary sanctions imposed for such breaches shall, depending on the circumstances of

each individual case, be imposed in addition to, or instead of, the administrative measures referred to in Article 21(2).

3.

The basic amount of the pecuniary sanctions referred to in paragraph 1 shall be included within the following limits:

(a) for serious, repeated or systematic breaches of one or more requirements related to customer due diligence, group-wide

policies, procedures and controls or reporting obligations that have been identified in two or more Member States

where a selected obliged entity operates, the amount shall be at least EUR 500 000 and shall not exceed EUR 2 000 000

or 1 % of the annual turnover, whichever is higher;

(b) for serious, repeated or systematic breaches of one or more requirements related to customer due diligence, internal

policies, procedures and controls or reporting obligations that have been identified in one Member State where

a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed EUR 1 000 000 or

0,5 % of the annual turnover, whichever is higher;

(c) for serious, repeated or systematic breaches of all other requirements that have been identified in two or more Member

States where a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed

EUR 2 000 000;

(d) for serious, repeated or systematic breaches of all other requirements that have been identified in one Member State

where a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed EUR 1 000 000;

(e) for serious, repeated or systematic breaches of the decisions of the Authority referred to in Article 6(1), the amount

shall be at least EUR 100 000 and shall not exceed EUR 1 000 000.

4.

The basic amounts defined within the limits set out in paragraph 3 shall be adjusted, where needed, by taking into

account aggravating or mitigating factors in accordance with the relevant coefficients set out in Annex I. The relevant

aggravating coefficients shall be applied one by one to the basic amount. If more than one aggravating coefficient is

applicable, the difference between the basic amount and the amount resulting from the application of each individual

aggravating coefficient shall be added to the basic amount. Where the benefit derived from the breach or the losses to third

parties caused by the breach can be determined, they shall be added to the total amount of the sanction, after application of

the coefficients.

5.

The relevant mitigating coefficients shall be applied one by one to the basic amount. If more than one mitigating

coefficient is applicable, the difference between the basic amount and the amount resulting from the application of each

individual mitigating coefficient shall be subtracted from the basic amount.

6.

The maximum amount of a sanction for the serious, repeated or systematic breaches referred to in paragraph 3,

points (a) and (b), shall not exceed 10 % of the total annual turnover of the obliged entity in the preceding business year,

after application of the coefficients referred to in paragraphs 4 and 5.

7.

The maximum amount of a sanction for the serious, repeated or systematic breaches referred to in paragraph 3,

points (c) and (d), shall not exceed EUR 10 000 000 after application of the coefficients referred to in paragraphs 4 and 5.

8.

Where the selected obliged entity is a parent undertaking or a subsidiary of a parent undertaking which is required to

prepare consolidated financial statements in accordance with Article 22 of Directive 2013/34/EU of the European

Parliament and the Council (³⁷), the relevant total annual turnover shall be the total annual turnover or the corresponding

type of income in accordance with applicable accounting standards according to the last available consolidated accounts

approved by the management body of the ultimate parent undertaking.

9.

In the cases not covered by paragraph 1 of this Article, the Authority may, where necessary for the purpose of

carrying out the tasks conferred on it by this Regulation, require financial supervisors to open proceedings with a view to

taking action in order to ensure that appropriate pecuniary sanctions are imposed in accordance with the national law

37

Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements,

consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the

European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013,

p. 19).

39/90

EN

OJ L, 19.6.2024

transposing Directive (EU) 2024/1640 and any relevant national legislation which confers specific powers which are

currently not required by Union law. The pecuniary sanctions imposed shall be effective, proportionate and dissuasive.

The first subparagraph shall be applicable to pecuniary sanctions to be imposed on selected obliged entities for breaches of

national law transposing Directive (EU) 2024/1640 and to any pecuniary sanctions to be imposed on members of the

management body of selected obliged entities who under national law are responsible for a breach by the selected obliged

entity.

10.

The pecuniary sanctions imposed by the Authority shall be effective, proportionate and dissuasive.

When determining the amount of the pecuniary sanction, the Authority shall take due consideration of the ability of the

selected obliged entity to pay the pecuniary sanction and, where the pecuniary sanction might affect compliance with

prudential regulation, consult the authorities competent for supervising compliance by the selected obliged entities with

applicable Union law.

Article 23

Periodic penalty payments

1.

The Executive Board may adopt a decision imposing a periodic penalty payment in order to compel:

(a) a selected obliged entity to put an end to a breach, where it fails to comply with an administrative measure applied

pursuant to Article 21(2), point (b), (d), (e) or (f), and Article 21(3);

(b) a person referred to in Article 17(1) to supply complete information which has been required by a decision pursuant to

Article 6(1);

(c) a person referred to in Article 17(1) to submit to an investigation and in particular to produce complete records, data,

procedures or any other material required and to complete and correct other information provided in an investigation

launched pursuant to Article 18.

2.

The periodic penalty payment shall be effective and proportionate. The periodic penalty payment shall be imposed

until the selected obliged entity or person concerned complies with the relevant administrative measure referred to in

paragraph 1.

3.

Notwithstanding paragraph 2, the amount of a periodic penalty payment shall not exceed, in the case of legal persons,

3 % of the average daily turnover in the preceding business year or, in the case of natural persons, 2 % of the average daily

income in the preceding calendar year. It shall be calculated from the date set in the decision imposing the periodic penalty

payment.

4.

A periodic penalty payment may be imposed for a period of no more than six months following the notification of

the Authority’s decision. Where, upon the expiry of that period, the selected obliged entity has not yet complied with the

administrative measure, the Authority may impose periodic penalty payments for an additional period of no more than six

months.

5.

The decision imposing a periodic penalty payment may be taken at a later stage with retroactive effect up to the date

of application of the administrative measure.

Article 24

Hearing of persons subject to proceedings

1.

Before taking any decision imposing a pecuniary sanction or periodic penalty payment under Article 22 or 23, the

Executive Board shall give the persons subject to the proceedings the opportunity to be heard on the Authority’s findings.

The Executive Board shall base its decisions only on findings on which the persons subject to the proceedings have had the

opportunity to comment.

2.

The rights of defence of the persons subject to the proceedings shall be fully respected during the proceedings. They

shall be entitled to have access to the Authority’s file, subject to the legitimate interest of other persons in the protection of

their business secrets. The right of access to the file shall not extend to confidential information or internal preparatory

documents of the Authority.

40/90

EN

OJ L, 19.6.2024

Article 25

Publication of administrative measures, pecuniary sanctions and periodic penalty payments

1.

The Authority shall publish every decision imposing pecuniary sanctions or periodic penalty payments or applying

administrative measures referred to in Article 21(2), points (c) to (g), adopted on cases referred to in Article 21(1), point (a),

immediately after the person responsible for the breach is informed of that decision. The publication shall include at least

the information on the type and nature of the breach, the identity of the person responsible, and, for pecuniary sanctions or

periodic penalty payments, their amount.

By way of derogation from the first subparagraph, where the publication concerns administrative measures that are

appealable and that do not aim to remedy serious, repeated and systematic breaches, the Authority may defer the

publication of those administrative measures until the expiry of the deadline for lodging an appeal to the Court of Justice of

the European Union.

2.

Upon the expiry of the deadline for a review of the decision by the Administrative Board of Review or, where such

a review was not requested by the obliged entity, the expiry of the deadline for an appeal to the Court of Justice of the

European Union, the Authority shall publish the information on a request for review or an appeal. Any subsequent

information on the outcome of such review or appeal shall be published by the Authority immediately after obtaining such

information. Any decision annulling a decision to impose a pecuniary sanction or a periodic penalty payment or apply an

administrative measure pursuant to Article 21(1), point (a), shall also be published.

3.

Notwithstanding the requirement referred to in paragraph 1, where the publication of the identity or the personal

data of the persons responsible is considered by the Authority to be disproportionate following a case-by-case assessment,

or where publication jeopardises the stability of financial markets or an ongoing investigation, the Authority shall:

(a) delay the publication of the decision until the moment when the reasons for not publishing it cease to exist;

(b) publish the decision on an anonymous basis, if such anonymous publication ensures the effective protection of the

personal data of the persons responsible; in that case, the Authority shall postpone the publication of the relevant data

for a reasonable period if it is foreseen that within that period the reasons for anonymous publication shall cease to

exist;

(c) not publish the decision at all in the event that the options set out in points (a) and (b) are considered insufficient to

ensure:

(i) that the stability of financial markets would not be put in jeopardy; or

(ii) the proportionality of the publication of the decision with regard to administrative measures applied in accordance

with Article 21(1), point (a), where such measures are deemed to be of a minor nature.

4.

1.

The Authority shall make any publication pursuant to this Article accessible on its website for a period of five years.

Article 26

Enforcement of pecuniary sanctions and periodic penalty payments and allocation of the amounts of those

sanctions and payments

Pecuniary sanctions and periodic penalty payments imposed pursuant to Articles 22 and 23 shall be enforceable.

Enforcement shall be governed by the rules of civil procedure in force in the Member State in the territory of which

enforcement is carried out. The order for enforcement shall be appended to the decision to impose pecuniary sanctions or

periodic penalty payments pursuant to Articles 22 and 23 without any formality other than verification of the authenticity

of the decision by the authority which the government of each Member State shall designate for that purpose and shall

make known to the Authority and to the Court of Justice of the European Union.

When those formalities have been completed on application by the party concerned, that party may proceed to

enforcement in accordance with national law, by bringing the matter directly before the competent body.

41/90

EN

OJ L, 19.6.2024

Enforcement may be suspended only by a decision of the Court of Justice of the European Union. However, the courts of

the Member State concerned shall have jurisdiction over complaints that enforcement is being carried out in an irregular

manner.

2.

The amounts of the pecuniary sanctions and periodic penalty payments collected shall be allocated to the general

budget of the Union.

Article 27

Procedural rules for taking supervisory measures and imposing pecuniary sanctions and periodic penalty

payments

1.

Where, in carrying out its duties under this Regulation, the Authority finds that there are serious indications of the

possible existence of facts liable to constitute one or more of the breaches listed in Annex II, the Authority shall appoint an

independent investigatory team within the Authority to investigate the matter. The investigatory team shall not be involved

or have been involved in the direct supervision of the selected obliged entity concerned and shall perform its functions

independently from the Executive Board. The Authority shall develop internal procedures to determine the rules governing

the selection of the members of the independent investigatory team, in particular with regard to the knowledge,

background, expertise and experience of those members.

2.

The investigatory team shall investigate the alleged breaches, taking into account any comments submitted by the

persons subject to investigation, and shall submit a complete file with its findings to the Executive Board.

In order to carry out its tasks, the investigatory team may require information in accordance with Article 17 and conduct

investigations and on-site inspections in accordance with Articles 18 and 19.

Where carrying out its tasks, the investigatory team shall have access to all documents and information gathered by the

joint supervisory team in its supervisory activities.

3.

Upon completion of its investigation and before submitting the file with its findings to the Executive Board, the

investigatory team shall give the persons subject to investigation the opportunity to be heard on the matters being

investigated. The investigatory team shall base its findings only on facts on which the persons subject to investigation have

had the opportunity to comment.

The rights of defence of the persons concerned shall be fully respected during investigations under this Article.

4.

When submitting the file with its findings to the Executive Board, the investigatory team shall notify that fact to the

persons subject to investigation. The persons subject to investigation shall be entitled to have access to the file, subject to

the legitimate interest of other persons in the protection of their business secrets. The right of access to the file shall not

extend to confidential information affecting third parties.

5.

On the basis of the file containing the investigatory team’s findings and, when requested by the persons concerned,

after having heard the persons subject to investigation in accordance with Article 24(1), the Executive Board shall decide if

one or more of the breaches listed in Annex II have been committed by the persons who are subject to investigation and, in

such case, shall impose a pecuniary sanction in accordance with Article 22 and apply an administrative measure in

accordance with Article 21 in addition to, or instead of, imposing a pecuniary sanction.

6.

The investigatory team shall not participate in the deliberations of the Executive Board or in any other way intervene

in the decision-making process of the Executive Board.

7.

The Commission shall adopt further rules of procedure for the exercise of the power to impose pecuniary sanctions

or periodic penalty payments, including provisions on rights of defence, temporal provisions, and the collection of

pecuniary sanctions or periodic penalty payments, and shall adopt detailed rules on the limitation periods for the

imposition and enforcement of penalties.

The rules referred to in the first subparagraph shall be adopted by means of delegated acts supplementing this Regulation, in

accordance with Article 100.

The Commission shall adopt the delegated acts referred to in the second subparagraph by 1 January 2027.

42/90

EN

OJ L, 19.6.2024

8.

The Authority shall refer matters for criminal prosecution to the relevant national authorities where, in carrying out

its duties under this Regulation, it finds that there are serious indications of the possible existence of facts liable to

constitute criminal offences. In addition, the Authority shall refrain from imposing pecuniary sanctions or periodic penalty

payments where a prior acquittal or conviction arising from identical facts, or from facts which are substantially the same,

has acquired the force of res judicata as the result of criminal proceedings under national law.

Article 28

Review by the Court of Justice of the European Union

The Court of Justice of the European Union shall have unlimited jurisdiction to review decisions of the Authority imposing

a pecuniary sanction or a periodic penalty payment. It may annul, or reduce or increase the amount of, the pecuniary

sanction or periodic penalty payment imposed.

Article 29

Language arrangements in direct supervision

1.

The Authority and the financial supervisors shall adopt arrangements for their communications within the AML/CFT

supervisory system, including the language(s) to be used.

2.

Any document which a selected obliged entity or any other natural or legal person individually subject to the

Authority’s supervisory procedures submits to the Authority may be drafted in any of the official languages of the Union,

chosen by the selected obliged entity or natural or legal person concerned.

3.

The Authority, the selected obliged entities and any other legal or natural person individually subject to the

Authority’s supervisory procedures may agree to exclusively use one of the official languages of the Union in their written

communications, including with regard to the Authority’s supervisory decisions.

4.

Where an agreement on the exclusive use of one language as referred to in paragraph 3 is subsequently revoked, that

revocation shall only affect the aspects of the Authority’s supervisory procedure which have not yet been carried out.

5.

Where participants in an oral hearing request to be heard in an official language of the Union other than the language

of the Authority’s supervisory procedure, sufficient advance notice of that requirement shall be given to the Authority so

that it can make the necessary arrangements.

SECTION 4

Indirect supervision of non-selected obliged entities

Article 30

Assessments of the state of supervisory convergence

1.

The Authority shall perform periodic assessments of some or all of the activities of one, several, or all financial

supervisors, as well as of their tools and resources. As part of each assessment, the Authority shall assess the extent to

which a financial supervisor performs its tasks in accordance with Directive (EU) 2024/1640 and takes the necessary steps

to ensure consistent high-level supervisory standards and practices. The assessments shall take into account the level of

harmonisation of supervisory approaches and, to that end, shall include a review of the application of all or part of the

AML/CFT supervisory methodology developed pursuant to Article 8, and it shall cover all financial supervisors in a single

assessment cycle. The Executive Board shall adopt, after consulting the General Board in supervisory composition, an

assessment cycle plan. The General Board, acting by a majority of two thirds of its members, may require the Executive

Board to adopt a new plan. The length of each assessment cycle shall be determined by the Authority and shall not exceed

seven years.

The Authority shall develop methods to allow for a consistent assessment of, and comparison between, the financial

supervisors reviewed in the same cycle. At the end of each assessment cycle, the Authority shall submit its findings to the

European Parliament and to the Council.

43/90

EN

OJ L, 19.6.2024

The assessments shall be carried out by the staff of the Authority and, following an open call for participation, by the

2.

staff of financial supervisors that are not subject to review, on a voluntary basis. Where relevant, the assessments shall take

due account of the evaluations, assessments or reports drawn up by international organisations and intergovernmental

bodies with competence in the field of ML/TF prevention. The assessments may also take due account of the information set

out in the central AML/CFT database established pursuant to Article 11.

3.

The Authority shall produce a report setting out the results of each assessment. A draft version of the report shall be

submitted to the financial supervisor subject to the assessment for comments, prior to its consideration by the General

Board in supervisory composition. Within a deadline determined by the Authority, the financial supervisor subject to the

assessment shall submit comments to the draft report. The final report shall be adopted by the Executive Board, taking into

account the observations of the General Board in supervisory composition. The Executive Board shall ensure consistency in

the application of the assessment methodology. The report shall explain and indicate any specific follow-up measures

required to be taken by the financial supervisor subject to the assessment that are deemed appropriate, proportionate and

necessary as a result of the assessment. The follow-up measures may be adopted in the form of guidelines and

recommendations of the General Board. The follow-up measures may also be adopted in the form of individual

recommendations taken by the Executive Board. Those individual follow-up measures shall only be published upon the

consent of the financial supervisor concerned and only in summary or aggregate form, such that individual financial

institutions cannot be identified. The published version of the report shall not include confidential information nor

references to specific financial supervisors.

4.

Financial supervisors shall make every effort to comply with the specific follow-up measures addressed to them as

a result of the assessment. Where applicable, financial supervisors shall provide regular updates to the Authority regarding

the type of measures that they have implemented in response to the report referred to in paragraph 3.

Article 31

Coordination and facilitation of the work of the AML/CFT supervisory colleges in the financial sector

1.

The Authority shall ensure, within the scope of its powers and without prejudice to the powers of the relevant

financial supervisors, that AML/CFT supervisory colleges in the financial sector are established and functioning consistently

for non-selected obliged entities operating establishments in several Member States in accordance with Article 49 of

Directive (EU) 2024/1640. To that end, the Authority may:

(a) establish a college, where such a college has not yet been established even though the conditions for its establishment

set out in Article 49 of Directive (EU) 2024/1640 are met, and convene and organise meetings of colleges;

(b) assist in the organisation of college meetings, where requested by the relevant financial supervisors;

(c) assist in the organisation of joint supervisory plans and joint on-site inspections or off-site investigations;

(d) collect and share all relevant information in cooperation with the financial supervisors in order to facilitate the work of

the college and make such information accessible to the authorities of the college;

(e) promote effective and efficient supervisory activities and practices, including evaluating the risks to which non-selected

obliged entities are or might be exposed;

(f) oversee, in accordance with the tasks and powers specified in this Regulation, the tasks carried out by the financial

supervisors.

2.

For the purposes of paragraph 1, the staff of the Authority shall have full participation rights in the AML/CFT

supervisory colleges and shall be able to participate in their activities, including on-site inspections, carried out jointly by

two or more financial supervisors.

44/90

EN

OJ L, 19.6.2024

Article 32

Requests to act in exceptional circumstances following indications of serious, repeated or systematic breaches

1.

Financial supervisors shall notify the Authority where the situation of any non-selected obliged entity with regard to

its compliance with Regulation (EU) 2024/1624, Regulation (EU) 2023/1113, any other legal provisions adopted for the

implementation of those Regulations or any administrative act issued by any supervisor and its exposure to ML/TF risks,

deteriorates rapidly and significantly, in particular where such deterioration might negatively impact several Member States

or the Union as a whole or undermine the integrity of the Union’s financial system.

2.

The Authority may, where it has indications of serious, repeated or systematic breaches by a non-selected obliged

entity, request its financial supervisor to:

(a) investigate such indications, which could concern breaches of Union law or, where such Union law is composed of

directives or expressly grants options for Member States, breaches of national law to the extent that that national law

transposes directives or exercises options granted to Member States by Union law; and

(b) consider imposing sanctions on that entity in respect of such breaches in accordance with directly applicable Union law

or national law transposing directives.

In that context, the Authority may, where necessary, also request the financial supervisor of a non-selected obliged entity to

adopt an individual decision addressed to that entity requiring it to undertake all necessary actions to comply with its

obligations under directly applicable Union law or under national law to the extent that it transposes directives or exercises

options granted to Member States by Union law, including the cessation of any practice. The requests referred to in this

paragraph shall not impede ongoing supervisory measures by the financial supervisor to which the request is addressed.

3.

A request referred to in paragraph 2 may be initiated where the Authority has indications of a serious, repeated or

systematic breach:

(a) following notifications by financial supervisors pursuant to paragraph 1;

(b) as a result of the Authority’s own collection of well-substantiated information; or

(c) upon receipt of information from Union institutions, bodies, offices or agencies, or from any other reliable and credible

information source.

4.

The financial supervisor concerned shall comply with any request addressed to it in accordance with paragraph 2 and

shall inform the Authority as soon as possible, and at the latest within 10 working days of the day of the notification of

such request, of the steps it has taken or intends to take to comply with that request.

5.

Where a request referred to in paragraph 2 is not complied with or information on the steps taken or intended to be

taken to comply with it is not provided to the Authority within 10 working days of the day of the notification of the

request, the Authority may request the Commission to grant permission to transfer temporarily the relevant tasks and

powers referred to in Article 5(2) and Article 6(1) related to direct supervision of the non-selected obliged entity from the

financial supervisor concerned to the Authority.

6.

A request from the Authority to the Commission pursuant to paragraph 5 shall contain the following:

(a) a description of the serious, repeated or systematic breaches of the directly applicable requirements by the non-selected

obliged entity and an explanation of why such breaches fall within the scope of competence of the Authority, pursuant

to paragraphs 2 and 3;

(b) an explanation of why the request to the financial supervisor referred to in paragraph 2 did not result in any action

being taken within the time limit set in paragraph 4, including, where relevant, the information that no reply was

submitted by the financial supervisor;

(c) a proposed length of time of a maximum of three years, during which the Authority will exercise the relevant tasks and

powers in relation to the non-selected obliged entity concerned;

45/90

EN

OJ L, 19.6.2024

(d) a description of the measures that the Authority intends to take in relation to the non-selected obliged entity concerned

upon the transfer of the relevant tasks and powers to address the serious, repeated or systematic breaches referred to in

paragraph 2;

(e) any relevant communication between the Authority and the financial supervisor concerned.

7.

Based on the information received pursuant to paragraph 6, the Commission shall have one month from the date of

receipt of the request from the Authority to adopt a duly justified decision whether to authorise the transfer of the relevant

tasks and powers or to oppose it. The decision shall be notified to the Authority, which shall immediately inform the

financial supervisor and the non-selected obliged entity thereof. The European Parliament and the Council shall be informed

of the decision.

8.

On the tenth working day after the decision authorising the transfer of tasks and powers in relation to the

non-selected obliged entity has been notified to the Authority, the non-selected obliged entity shall be deemed a selected

obliged entity for the purposes of the exercise of the tasks referred to in Article 5(2) and the powers referred to in Article 6

(1) and Articles 17 to 23. The Commission decision shall set a time limit for the exercise of those tasks and powers, upon

the expiry of which they shall be automatically transferred back to the financial supervisor concerned.

9.

After having consulted the financial supervisor concerned, the Authority may submit to the Commission a request to

extend the application of the decision authorising the transfer of tasks and powers. That request shall be submitted at least

two months before the expiry of the initial period.

The request referred to in the first subparagraph shall be accompanied by the following:

(a) a description of the measures that the Authority has taken in relation to the obliged entity concerned and of the further

measures it intends to take;

(b) a justification as to why those remaining measures address breaches that still fall within the scope of competence of the

Authority, pursuant to paragraph 2;

(c) a proposed length of time of a maximum of three years for the continued exercise of the tasks referred to in Article 5(2)

and the powers referred to in Article 6(1) and Articles 17 to 23 in relation to the obliged entity;

(d) any relevant communication between the Authority and the financial supervisor concerned.

The Commission shall adopt a decision whether to grant the extension within the time limit indicated in paragraph 7. Any

extension granted pursuant to this paragraph may be granted only once.

Article 33

Settlement of disagreements between financial supervisors in cross-border situations

1.

The Authority may assist financial supervisors in reaching an agreement in accordance with the procedure set out in

paragraphs 3, 4 and 5 of this Article at the request of one or more financial supervisors pursuant to Article 46, 47, 49 or

54 of Directive (EU) 2024/1640 or in other instances where a financial supervisor disagrees with the procedure or content

of an action, proposed action, or inactivity of another financial supervisor insofar as it affects its own supervisory tasks and

responsibilities in relation to a specific non-selected obliged entity or multiple non-selected obliged entities.

2.

In cases other than those covered by Articles 46, 47, 49 and 54 of Directive (EU) 2024/1640, a financial supervisor

shall request the assistance of the Authority without undue delay where a provision of Union law requires that financial

supervisor to reach, with another financial supervisor, an agreement, arrangement or other form of established or

formalised cooperation relating to the supervision of specific non-selected obliged entities, and any of the following occurs:

(a) the agreement has been reached but has not been effectively applied or adhered to by one of the parties;

(b) a financial supervisor concludes, on the basis of objective reasons, that a disagreement exists;

46/90

EN

OJ L, 19.6.2024

(c) two months have elapsed from the date of receipt by a financial supervisor of a request from another financial

supervisor to take certain action in order to comply with the legislative acts referred to in Article 1(2) of this Regulation

and the requested supervisor has not adopted a decision that satisfies the request.

3.

The Executive Board shall assess any request referred to in paragraphs 1 and 2 and notify the relevant parties whether

it considers the request justified and intends to act upon it in accordance with this Article.

4.

The Authority shall set a time limit for conciliation between the financial supervisors, taking into account any relevant

time periods specified in Union law and the complexity and urgency of the matter. For the purposes of the conciliation

phase, the Authority shall act as a mediator. Where necessary or provided for in Union law, it shall issue an opinion on how

to settle the disagreement.

5.

Where the financial supervisors fail to reach an agreement during the conciliation phase referred to in paragraph 4, or

where they fail to follow the opinion issued by Authority, the Authority may require those supervisors to take specific

action or refrain from certain action, in order to settle the matter, and to ensure compliance with Union law. The decision of

the Authority shall be binding on the financial supervisors. The Authority’s decision may require financial supervisors to

revoke or amend a decision that they have adopted or to make use of their powers under applicable Union law.

6.

The Authority shall notify the financial supervisors of the conclusion of the procedures under paragraphs 4 and 5

together with, where applicable, its decision taken under paragraph 5.

7.

Any action by the financial supervisors in relation to facts which are subject to a decision pursuant to paragraph 5

shall be compatible with such a decision.

8.

In the report referred to in Article 84, the Chair of the Authority shall set out the nature and type of disagreements

between financial supervisors, the agreements reached and the decisions taken to settle such disagreements.

Article 34

Action in cases of systematic failures of supervision

1.

Where a financial supervisor has not applied measures laid down in Directive (EU) 2024/1640, or the provisions of

national law transposing that Directive, or has applied measures in a way that appears to be a breach of Union law leading

to systematic failures in its supervision which affect multiple obliged entities and undermine the effectiveness of the

AML/CFT supervisory system, the Authority shall act in accordance with the powers set out in paragraphs 2, 3 and 4.

2.

The Authority may initiate an investigation of a potential breach of Union law referred to in paragraph 1 on its own

initiative where it has an indication of such a breach based on well-substantiated information collected by the Authority

when carrying out its tasks pursuant to this Regulation.

The Authority may also investigate an alleged breach or non-application of Union law upon a well-substantiated request

from one or more financial supervisors, the European Parliament or the Commission.

Where an investigation of a potential breach of Union law has been requested pursuant to the first or second subparagraph,

the Authority shall duly inform the party making the request how it intends to proceed with the matter and whether an

investigation into the alleged breach is warranted. Where the Authority decides to proceed with an investigation, it shall

first inform the financial supervisor concerned.

3.

The financial supervisor that is the subject of an investigation pursuant to paragraph 2 shall, without delay, provide

the Authority with all information that the Authority requests for the purposes of its investigation, including as regards

how the acts referred to in paragraph 1 are applied in accordance with Union law.

4.

Where deemed appropriate and necessary, the Authority may also, after having informed the financial supervisor that

is the subject of the investigation, provide an opportunity to all other financial supervisors to transmit information to the

Authority that they deem relevant or directly address a duly justified and reasoned request for information to any other

financial supervisor. The addressees of such a request shall, without undue delay, provide the Authority with clear, accurate

and complete information.

47/90

EN

OJ L, 19.6.2024

5.

The Authority may, no later than six months from the date of initiating its investigation, address a recommendation

to the financial supervisor subject to investigation, setting out the action necessary to comply with Union law.

Before issuing such a recommendation, the Authority shall engage with the financial supervisor where it considers that such

engagement is appropriate in order to resolve the systematic failures of supervision resulting in the breach of Union law, in

an attempt to reach an agreement on the actions necessary for compliance with Union law.

The financial supervisor shall, within 10 working days of receipt of the recommendation, inform the Authority of the steps

it has taken or intends to take to ensure compliance with Union law.

6.

Where the financial supervisor has not complied with Union law within one month of the date of receipt of the

Authority’s recommendation, the Commission may, after having been informed of that fact by the Authority or on its own

initiative, issue a formal opinion requiring the financial supervisor to take the action necessary to comply with Union law.

The Commission’s formal opinion shall take into account the Authority’s recommendation.

The Commission shall issue such a formal opinion within three months of the date of adoption of the recommendation.

The Commission may extend that period by one month.

The Authority and the financial supervisor shall provide the Commission with all necessary information.

7.

The financial supervisor shall, within 10 working days of receipt of the formal opinion referred to in paragraph 6,

inform the Commission and the Authority of the steps it has taken or intends to take to comply with that formal opinion.

When taking action in relation to issues which are the subject of a formal opinion, the financial supervisor shall comply

with that formal opinion.

SECTION 5

Oversight of the non-financial sector

Article 35

Peer reviews

1.

The Authority shall periodically conduct peer reviews of some or all of the activities of non-financial supervisors and

public authorities referred to in Article 52 of Directive (EU) 2024/1640 to strengthen consistency and effectiveness in

supervisory outcomes. The Authority shall develop methods to allow for an objective assessment and comparison between

the non-financial supervisors reviewed. Where relevant, the planning and conducting of assessments shall take due account

of the evaluations, assessments and reports drawn up by international organisations and intergovernmental bodies with

competence in the field of AML/CFT. The assessments may also take due account of the information contained in the

central AML/CFT database established pursuant to Article 11 of this Regulation.

The methods referred to in the first subparagraph shall take into account the specific features of the supervisory framework

in cases where supervision is entrusted to self-regulatory bodies, including the role of the public authority responsible for

overseeing those bodies pursuant to Article 52 of Directive (EU) 2024/1640, and the specific characteristics of supervisors

in those cases.

2.

Peer reviews shall be carried out by the staff of the Authority jointly with the relevant staff of the non-financial

supervisors and of the public authorities as referred to in Article 52 of Directive (EU) 2024/1640.

3.

The peer review shall include an assessment of, but not be limited to:

(a) the adequacy of powers and of financial, human and technical resources, the degree of independence and the

governance arrangements and professional standards of the non-financial supervisor to ensure the effective application

of Chapter IV of Directive (EU) 2024/1640;

(b) the effectiveness and the degree of convergence reached in the application of Union law and in supervisory practice, and

the extent to which the supervisory practice achieves the objectives set out in Union law;

48/90

EN

OJ L, 19.6.2024

(c) the application of best practices developed by non-financial supervisors whose adoption might be of benefit for other

non-financial supervisors;

(d) the effectiveness and the degree of convergence reached with regard to the enforcement of the provisions adopted in the

implementation of Union law, including the pecuniary sanctions imposed and administrative measures applied against

persons responsible where those provisions have not been complied with.

4.

The Authority shall produce a report setting out the results of the peer review. That peer review report shall be jointly

prepared by the staff of the Authority and the relevant staff of the non-financial supervisors and of the public authorities as

referred to in Article 52 of Directive (EU) 2024/1640 involved in the peer review, and adopted by the Executive Board,

having received the observations of the General Board in supervisory composition as to the consistency of application of

the methodology with other peer review reports. The report shall explain and indicate the follow-up measures that are

deemed appropriate, proportionate and necessary as a result of the peer review. Those follow-up measures may be adopted

in the form of guidelines and recommendations pursuant to Article 54 and opinions pursuant to Article 55 of this

Regulation. The non-financial supervisors and the public authorities as referred to in Article 52 of Directive

(EU) 2024/1640 shall make every effort to comply with any guidelines and recommendations issued, in accordance with

Article 54(3) of this Regulation.

5.

The Authority shall publish the findings of the peer review on its website and inform at least the European Parliament

thereof. It shall submit an opinion to the Commission where, having regard to the outcome of the peer review or to any

other information acquired by the Authority in carrying out its tasks, it considers that further harmonisation of Union rules

applicable to obliged entities in the non-financial sector or to non-financial supervisors would be necessary from the

Union’s perspective.

6.

The Authority shall provide a follow-up report two years after the publication of the peer review report. The

follow-up report shall be jointly prepared by the staff of the Authority and the relevant staff of the non-financial supervisors

involved in the peer review, and shall be adopted by the Executive Board, having received the observations of the General

Board in supervisory composition on the consistency of application of the methodology with other peer review reports.

The follow-up report shall include an assessment of the adequacy and effectiveness of the actions undertaken by the

non-financial supervisors that were subject to the peer review in response to the follow-up measures of the peer review

report. The Authority shall publish the findings of the follow-up report on its website.

7.

For the purposes of this Article, the Executive Board shall adopt a peer review work plan every two years, after

consulting the General Board in supervisory composition. That peer review work plan shall reflect the lessons learnt from

past peer review processes and discussions held in the General Board in supervisory composition. The General Board in

supervisory composition, acting by a majority of two thirds of its members, may require the Executive Board to adopt

a new plan. The peer review work plan shall constitute a separate part of the annual and multiannual working programme

and shall be included in the single programming document referred to in Article 65. In the case of urgent or unforeseen

events, the Authority may decide to carry out additional peer reviews.

8.

Where peer reviews concern supervisory activities which in one or more Member States are carried out by

self-regulatory bodies, the peer review shall include an assessment of measures taken pursuant to Article 52 of Directive

(EU) 2024/1640 by the public authority responsible for overseeing those bodies to ensure that they perform their function

adequately and effectively.

9.

Where peer reviews concern supervisory activities which in one or more Member States are carried out by

self-regulatory bodies, those self-regulatory bodies shall not be required to participate. However, where they indicate an

interest in participating in a peer review, staff of those bodies that are entrusted with supervisory tasks shall be allowed to

participate in that peer review.

Article 36

Coordination and facilitation of the work of AML/CFT supervisory colleges in the non-financial sector

1.

The Authority shall, within the scope of its powers and without prejudice to the powers of the relevant non-financial

supervisors pursuant to Article 50 of Directive (EU) 2024/1640, assist in the setting up and functioning of AML/CFT

supervisory colleges in the non-financial sector for obliged entities in the non-financial sector operating establishments in

several Member States in accordance with that Article.

49/90

EN

OJ L, 19.6.2024

2.

For the purposes of paragraph 1, the Authority may:

(a) suggest the establishment of a college where no such college has been established even though the Authority considers

that the ML/TF risk exposure of the obliged entity and the scale of its cross-border activities justify the establishment of

a college, and the convocation and organisation of college meetings;

(b) assist in the organisation of college meetings and in the assessment of whether the conditions for the participation of

third-country supervisors in the college are met, where requested by the relevant non-financial supervisors;

(c) assist in the organisation of joint supervisory plans and joint on-site inspections or off-site investigations;

(d) assist the non-financial supervisors in the collection and sharing of all relevant information in order to facilitate the

work of the college and make such information accessible to the supervisors in the college;

(e) promote effective and efficient supervisory activities and practices, including evaluating the risks to which obliged

entities in the non-financial sector are or might be exposed;

(f) provide assistance to non-financial supervisors, upon their specific requests, including requests to mediate between

non-financial supervisors in the situations covered by Article 50(2) and (3) of Directive (EU) 2024/1640.

3.

For the purposes of paragraph 1, the staff of the Authority shall have full participation rights in AML/CFT supervisory

colleges. Upon the agreement of the non-financial supervisors concerned, the staff of the Authority shall be able to

participate in the activities of the college carried out jointly by two or more non-financial supervisors, including on-site

inspections of obliged entities in the non-financial sector, except those covered by Article 3, point (3)(a) and (b), of

Regulation (EU) 2024/1624.

Article 37

Warnings of breaches of Union law by non-financial supervisors and public authorities overseeing self-regulatory

bodies

1.

Where the Authority has grounds to suspect that a non-financial supervisor or a public authority overseeing

self-regulatory bodies referred to in Article 52 of Directive (EU) 2024/1640 has not applied the Union acts or the national

legislation referred to in Article 1(2) of this Regulation, or has applied them in a way which appears to breach Union law, it

shall inform the supervisor or public authority concerned of those suspected breaches and investigate them.

For the purposes of the first subparagraph, the Authority may act upon the request of one or more non-financial

supervisors or public authorities, the European Parliament, the Council or the Commission, or on its own initiative,

including where such action is based on well-substantiated information from natural or legal persons pursuant to

Article 90.

2.

The Authority shall be able to request from the supervisor or public authority concerned all information which the

Authority considers necessary for its investigation, including information on how the Union acts or national legislation

referred to in Article 1(2) of this Regulation are applied in accordance with Union law, but with the exception of

information covered by legal privilege, unless the exemptions set out in Article 21(2), second subparagraph, and Article 70

(2), second subparagraph, of Regulation (EU) 2024/1624 and in Article 52(3), point (a), of Directive (EU) 2024/1640 apply.

The supervisor or public authority concerned shall, without delay, provide the Authority with the requested information.

Whenever the requested information from the supervisor or public authority concerned has proven, or is deemed to be,

insufficient to obtain the information that is deemed necessary for the purposes of investigating the suspected breach, the

Authority may, after having informed the supervisor or public authority concerned, address a duly justified and reasoned

request for information directly to other supervisors or public authorities overseeing self-regulatory bodies.

50/90

EN

OJ L, 19.6.2024

The addressee of such a request shall provide the Authority with clear, accurate and complete information without undue

delay.

3.

The Authority may, not later than six months from initiating its investigation, address a recommendation to the

supervisor or public authority concerned setting out the action necessary to remedy the identified breach.

Before issuing such a recommendation, the Authority shall engage with the supervisor or public authority concerned where

it considers such engagement appropriate in order to resolve the breach, in an attempt to reach agreement on the actions

necessary to that end.

The supervisor or public authority concerned shall, within 10 working days of receipt of the recommendation, inform the

Authority of the steps it has taken or intends to take to resolve the breach.

4.

Where the supervisor or public authority has not resolved the identified breach referred to in paragraph 3, first

subparagraph, within one month of receipt of the Authority’s recommendation, the Authority shall issue a warning

detailing the breach and identifying measures to be implemented by the addressees of the warning to mitigate its effects.

The warning referred to in the first subparagraph shall be addressed:

(a) in the case of a non-financial supervisor, to the counterpart supervisors in other Member States and, where the

supervisor is a self-regulatory body, its public authority;

(b) in the case of a public authority, to the self-regulatory bodies under its oversight.

5.

As soon as the supervisor or public authority concerned has resolved the breach, the Authority shall inform the

addressees of its warning referred to in paragraph 4 that the breach has been resolved and that the mitigating measures have

ceased.

Article 38

Settlement of disagreements between non-financial supervisors in cross-border situations

1.

The Authority may assist non-financial supervisors in reaching an agreement in accordance with the procedure set

out in paragraphs 3 and 4 of this Article at the request of one or more non-financial supervisors pursuant to Article 46, 47,

50 or 54 of Directive (EU) 2024/1640 or in other instances where a non-financial supervisor disagrees with the procedure

or content of an action, proposed action or inactivity of another non-financial supervisor insofar as it affects its own

supervisory tasks and responsibilities in relation to a specific obliged entity or multiple obliged entities.

2.

In cases other than those covered by Articles 46, 47, 50 and 54 of Directive (EU) 2024/1640, a non-financial

supervisor shall request the assistance of the Authority without undue delay where a provision of Union law requires that

non-financial supervisor to reach, with another non-financial supervisor or other non-financial supervisors, an agreement,

an arrangement or other form of established or formalised cooperation relating to the supervision of specific obliged

entities, and any of the following occurs:

(a) the agreement has been reached but has not been effectively applied or adhered to by one of the parties,

(b) a non-financial supervisor concludes on the basis of objective reasons that a disagreement exists;

(c) two months have elapsed from the date of receipt by a non-financial supervisor of a request from another non-financial

supervisor to take certain action in order to comply with the legislative acts referred to in Article 1(2) of this Regulation

and the requested supervisor has not adopted a decision that satisfies the request.

3.

The Executive Board shall assess any request referred to in paragraphs 1 and 2 and notify the relevant parties whether

it considers the request justified and intends to act upon it in accordance with this Article.

51/90

EN

OJ L, 19.6.2024

The Authority shall set a time limit for conciliation between the non-financial supervisors taking into account any

4.

relevant time periods specified in Union law and the complexity and urgency of the matter. For the purposes of the

conciliation phase, the Authority shall act as a mediator. Where necessary or provided for in Union law, the Authority shall

issue an opinion on how to settle the disagreement.

SECTION 6

Support and coordination mechanism for FIUs

Article 39

Cooperation between the Authority and Financial Intelligence Units

1.

The Authority shall be responsible for ensuring the effective and consistent cooperation between Financial Intelligence

Units (‘FIUs’) within the framework of the support and coordination mechanism for FIUs. To that end, the Authority shall

support and coordinate the activities of FIUs.

2.

The Authority and FIUs shall be subject to a duty of cooperation in good faith, including with regard to joint analyses

supported or initiated by the Authority, and to an obligation to exchange information that is necessary to fulfil their

respective tasks.

3.

The Authority shall have dedicated human, financial and IT resources to support the tasks referred to in Article 5(5)

and shall ensure, where necessary, organisational separation of the staff dedicated to those tasks from the staff carrying out

the tasks relating to the Authority’s supervisory activities.

An FIU may inform the Authority in the case of a failure by another FIU to cooperate. In that case, the Authority shall act as

a mediator.

Article 40

Conduct of joint analyses

1.

The Authority shall lay down methods and criteria for the selection and prioritisation of cases relevant for the

conduct of joint analyses in accordance with Article 32 of Directive (EU) 2024/1640, to be assisted by the Authority.

2.

For the purposes of paragraph 1, the Authority shall draw up, on an annual basis, a list of priority areas for the

conduct of joint analyses. That list may be reviewed where new priority areas are identified.

3.

Where, pursuant to Article 32 of Directive (EU) 2024/1640 and having regard to the criteria referred to in

paragraph 1 of this Article, an FIU of a Member State identifies a potential need to conduct a joint analysis with one or

several FIUs in other Member States, it shall notify the Authority thereof.

The Authority shall register all notifications received pursuant to the first subparagraph of this paragraph and assess the

relevance of the case in accordance with the methods and criteria referred to in paragraph 1. Where the Authority assesses

that the case is relevant, it shall, within five days of the initial notification, inform FIUs in all relevant Member States and

invite them to take part in the joint analysis. To that end, the Authority shall use secured channels of communication. FIUs

in all relevant Member States shall consider taking part in the joint analysis.

4.

If at least one other FIU agrees to take part in the joint analysis, the Authority shall ensure that the joint analysis is

launched within 20 days of the initial assessment referred to in paragraph 3, second subparagraph, unless the urgency of

the matter justifies the imposition of a shorter deadline.

5.

Any FIU that declines to participate in the conduct of the joint analysis shall provide the reasons thereof in writing to

the Authority, within five days of receipt of the invitation. The Authority shall provide such explanation without delay to

the FIU that identified the need for a joint analysis.

52/90

EN

OJ L, 19.6.2024

6.

Upon the express consent of all FIUs participating in the joint analysis, the staff of the Authority supporting the joint

analysis shall be granted access to all data pertaining to the subject matter of the case and shall be able to process those data

for the purposes of supporting the joint analysis.

Where an FIU refuses to grant access to the staff of the Authority to the data pertaining to the subject matter of the case, it

shall ensure that the information is otherwise provided in a way that does not impede the staff of the Authority in providing

operational support to the joint analysis, nor otherwise effectively hamper their ability to provide such support.

Where several FIUs refuse to grant access to the data pertaining to the subject matter of the case, the Authority shall

re-assess whether the tasks that its staff would perform justify its support to the joint analysis, and consider recommending

that the joint analysis proceeds without its support instead.

7.

The Authority shall provide all necessary tools and operational support required for the conduct of the joint analysis,

in accordance with the developed methods and procedures. In particular, the Authority shall set up a dedicated, secured

channel of communication for the performance of the joint analysis, and shall provide the appropriate technical

coordination, including IT support, as well as budgetary and logistical support.

8.

Upon the express consent of all FIUs participating in the joint analysis, the staff of the Authority supporting the joint

analysis shall be authorised to cross-match, on the basis of a hit/no-hit system, the data of those FIUs with data made

available by other FIUs and Union bodies, offices and agencies within their respective mandates.

In the case of a hit, the Authority shall share with all FIUs participating in the joint analysis the information that triggered

the hit to the extent that the provider of the information authorised its sharing and that the information is necessary for the

conduct of the joint analysis.

For the purposes of this paragraph, the Authority shall use a system designed for the cross-matching of information

relevant for the purposes of preventing money laundering, its predicate offences and terrorist financing in a proportionate

manner. That system shall ensure a level of security and confidentiality proportionate to the nature and extent of the

information cross-matched. The methods and procedures to be established for the conduct of the joint analyses pursuant to

Article 43(1) and the working arrangements to be concluded pursuant to Article 94(2) shall specify the methods for

carrying out the cross-matching on the basis of a hit/no-hit system as referred to in the first subparagraph of this paragraph.

Article 41

Reporting and transmission of the results of joint analyses

1.

Where the results of a joint analysis indicate that there are reasonable grounds to suspect that money laundering or

other criminal activities are being or have been committed in respect of which the EPPO could exercise its competence in

accordance with Article 22 and Article 25(2) and (3) of Regulation (EU) 2017/1939, the Authority shall report without

undue delay the results of the joint analysis and any additional relevant information to the EPPO.

2.

The Authority shall, in consultation with the EPPO, develop draft implementing technical standards to specify the

format to be used by the Authority for the reporting of information to the EPPO.

The Authority shall submit those draft implementing technical standards to the Commission by 27 June 2026.

The Commission is empowered to adopt the implementing technical standards referred to in the first subparagraph in

accordance with Article 53.

3.

Where the results of the joint analysis indicate that there are reasonable grounds to suspect that fraud, corruption or

any other illegal activity affecting the financial interests of the Union is being or has been committed in respect of which the

European Anti-Fraud Office (OLAF) could exercise its competence in accordance with Article 8 of Regulation

(EU, Euratom) No 883/2013, the Authority shall transmit the results of the joint analysis and any additional relevant

information to OLAF.

53/90

EN

OJ L, 19.6.2024

Upon the express consent of all FIUs participating in the joint analysis and where the results of the joint analysis

4.

indicate that there are reasonable grounds to suspect that a criminal offence has been committed in respect of which

Europol could exercise its competence in accordance with Regulation (EU) 2016/794 of the European Parliament and of the

Council (³⁸), the Authority shall transmit the results of the joint analysis and any additional relevant information to Europol.

5.

Upon the express consent of all FIUs participating in the joint analysis, and where the results of the joint analysis

indicate that there are reasonable grounds to suspect that a criminal offence has been committed in respect of which

Eurojust could exercise its competence in accordance with Regulation (EU) 2018/1727 of the European Parliament and of

the Council (³⁹), the Authority shall transmit the results of the joint analysis and any additional relevant information to

Eurojust.

6.

The Authority, the EPPO, Europol, Eurojust and OLAF may exchange strategic and other non-operational

information, such as typologies and risk indicators, in the areas within their competence.

The conditions for the exchange of the information referred to in the first subparagraph shall be laid down in the working

arrangements referred to in Article 94.

Article 42

Requests by the Authority for the initiation of a joint analysis

1.

Where the Authority identifies a potential need to conduct a joint analysis pursuant to Article 40 of this Regulation or

Article 32 of Directive (EU) 2024/1640, it shall inform the concerned FIUs thereof and request them to take part in the

joint analysis.

2.

The concerned FIUs shall inform the Authority without undue delay, making best efforts to do so within five days of

receipt of the request, of their decision concerning the request referred to in paragraph 1.

3.

Where an FIU requested to take part in the joint analysis refuses a request made by the Authority pursuant to

paragraph 1, it shall inform the Authority of the reasons for its decision without undue delay, making best efforts to do so

within five days of receipt of the request.

Article 43

Review of the methods and procedures for, and conduct of, joint analyses

1.

The Authority shall establish methods and procedures for the conduct of joint analyses, periodically review them and

update them where necessary. The requirement to review and update shall also apply to the methods and criteria referred to

in Article 40(1).

2.

FIUs that participated or were otherwise involved in a joint analysis may provide their feedback to the Authority on

the conduct of the analysis, including feedback on the operational support provided by the Authority in the process of the

joint analysis, as well as feedback on the outcome of the analysis, the methods and procedures in place pursuant to

paragraph 1, the tools available and the coordination between the participating FIUs. Feedback that is labelled confidential

shall not be shared with other FIUs.

3.

On the basis of the feedback referred to in paragraph 2, or on its own initiative, the Authority may issue a follow-up

report relating to the conduct of the joint analysis, including specific suggestions for adjustments regarding the methods

and procedures for the conduct of the joint analysis, and conclusions on the outcome of the joint analysis. The follow-up

report shall be shared with all FIUs, without disclosing confidential or restricted information on the case. The conclusions

and recommendations relating to the conduct of the joint analysis shall be shared with all FIUs that participated in that joint

analysis, and with all other FIUs insofar as those conclusions and recommendations do not contain confidential or

restricted information.

38

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law

Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA,

2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency

for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018,

p. 138).

39

54/90

EN

OJ L, 19.6.2024

Article 44

National FIU delegates

1.

The FIU of each Member State shall delegate one or more staff members to the Authority. The regular place of work of

the national FIU delegate shall be at the seat of the Authority.

2.

FIU delegates shall have the status of staff of the delegating FIU at the time of their appointment and for the entire

duration of their delegation. Member States shall appoint their FIU delegate on the basis of a proven high level of relevant

and practical experience in the field of FIU tasks. The delegate shall remain under the authority of the delegating FIU and

shall comply with the security and confidentiality rules of the delegating FIU, including relevant national law.

3.

The General Board in FIU composition may reject a person who has been appointed as FIU delegate if that person

does not fulfil the criteria referred to in paragraph 2. The term of office of FIU delegates shall be three years, renewable once

with the consent of the delegating FIU.

4.

FIU delegates shall support the Authority in carrying out the tasks set out in Article 5(5). To that end, FIU delegates

shall be granted, for the duration of the delegation, access to the Authority’s data and information to the extent necessary

for the performance of their tasks.

5.

FIU delegates shall be granted access to any data accessible by their delegating FIU for the purposes of carrying out the

tasks referred to in Article 5(5).

6.

The Executive Board shall determine the rights and obligations of FIU delegates in relation to the Authority, taking

into account the opinion of the General Board in FIU composition. FIUs shall ensure that their FIU delegate complies with

those rights and obligations.

Article 45

Mutual assistance in the area of cooperation between FIUs

1.

In the context of promoting cooperation between, and supporting the work of, FIUs, the Authority, taking into

account the needs of FIUs, shall promote common approaches, methods and best practices. The Authority shall also

organise and facilitate in particular the following activities:

(a) training programmes, including with respect to technological innovation;

(b) personnel exchanges and secondment schemes, including secondment of FIU staff from a Member State to the

Authority;

(c) exchanges of practices between FIUs, including sharing expertise in a specific area;

(d) development or procurement of IT tools and services to enhance the analysis capabilities of FIUs.

2.

An FIU may submit to the Authority a request for assistance related to the tasks of the FIU, specifying the type of

assistance it seeks from the staff of the Authority, the staff of one or more FIU, or a combination thereof. The FIU requesting

assistance shall ensure that access is given to any information and data necessary for the provision of such assistance. The

Authority shall keep and regularly update information on specific areas of expertise and on the capacity of FIUs to provide

mutual assistance related to the tasks of FIUs.

3.

The Authority shall make every effort to provide the requested assistance, including by considering the support to be

provided with its own human resources as well as coordinating and facilitating the provision of any form of assistance by

other FIUs on a voluntary basis.

55/90

EN

OJ L, 19.6.2024

At the beginning of each year, the Chair of the Authority shall inform the General Board in FIU composition of the

4.

human resources that the Authority can allocate to providing the assistance referred to in paragraph 2 of this Article.

Where changes occur to the availability of human resources due to performance of the tasks referred to in Article 5(5), the

Chair of the Authority shall inform the General Board in FIU composition thereof.

Article 46

Mediation between FIUs

1.

The Authority may facilitate a solution in the case of a disagreement between two or more FIUs regarding individual

cases related to cooperation, including the exchange of information, under Directive (EU) 2024/1640. The purpose of such

mediation shall be to reconcile divergent points of view between the FIUs and to adopt a non-binding opinion.

2.

Where a disagreement cannot be solved by direct contact and dialogue between the FIUs concerned, the Authority

shall launch a mediation procedure upon the request of one or more of those FIUs. The Authority may also propose

launching a mediation procedure on its own initiative. Mediation shall be conducted only with the agreement of all FIUs

concerned.

3.

The mediation procedure shall be launched before the General Board in FIU composition. All members of the General

Board in FIU composition, except the heads of the FIUs that are concerned by the disagreement, shall seek to reconcile the

points of view of the FIUs that are concerned by the disagreement and shall agree on a non-binding opinion. Where

relevant, experts from the Commission may be invited to participate in the mediation procedure in an advisory capacity.

4.

The General Board in FIU composition shall adopt rules of procedure for mediation procedures, including the

applicable deadlines.

5.

Where an FIU that is concerned by a disagreement refuses to participate in the mediation procedure, it shall inform

the Authority and the other FIUs that are concerned by the disagreement of the reasons for its decision within the period

specified in the rules of procedure referred to in paragraph 4.

6.

Within three months of the adoption of the non-binding opinion referred to in paragraph 3, the FIUs that are

concerned by the disagreement shall report to the General Board in FIU composition regarding the measures that they have

taken in response to the opinion or, where they have not taken measures, regarding the reasons why they have not done so.

Article 47

FIU.net

1.

The Authority shall ensure adequate, uninterrupted and secure hosting of FIU.net, and ensure the management,

maintenance and development of FIU.net. Taking into account the needs of FIUs, the Authority shall ensure that the most

advanced and secure technology available is used for FIU.net, subject to a cost-benefit analysis.

2.

The Authority shall ensure uninterrupted functioning of FIU.net and keep it up-to-date. Where necessary to support

or strengthen the exchange of information and cooperation between FIUs and based on the needs of FIUs, the Authority

shall design and implement, or otherwise make available, upgraded or additional functionalities of FIU.net.

3.

The Authority shall also be responsible for the following tasks relating to FIU.net:

(a) implement appropriate technical and organisational measures to ensure a level of security that protects personal data;

(b) plan, coordinate, manage and support any testing activities;

(c) ensure adequate financial resources;

56/90

EN

OJ L, 19.6.2024

(d) provide training on the technical use of FIU.net by end-users.

4. For the purposes of carrying out the tasks referred to in paragraphs 1, 2 and 3, the Authority shall be empowered to

conclude or enter into legally binding contracts or agreements with third-party service providers, after appropriate audits of

their security standards.

5.

The Authority shall adopt and implement the measures necessary for the fulfilment of the tasks referred to in this

Article, including a security plan, a business continuity plan and a disaster recovery plan for FIU.net.

6.

The General Board in FIU composition, acting unanimously, may decide to suspend the access of an FIU, its

counterpart in a third country, or a Union body, office or agency, to FIU.net where it has grounds to believe that such access

would jeopardise the implementation of Chapter III of Directive (EU) 2024/1640 and the security and confidentiality of the

information held by FIUs and exchanged through the FIU.net system, including where there are concerns in relation to an

FIU’s lack of independence and autonomy.

Where the General Board in FIU composition adopts a decision suspending the access of an FIU to FIU.net, the General

Board shall act unanimously by vote of all members of the General Board in FIU composition, except the head of the FIU in

question.

The General Board in FIU composition shall define the criteria for the suspension of access to FIU.net and adopt rules of

procedure for such suspension.

Article 48

Peer review

1.

The Authority shall set up a peer review process of the activities of FIUs pursuant to Chapter III of Directive

(EU) 2024/1640 to strengthen the consistency and effectiveness of FIU activities and to facilitate the exchange of best

practices between FIUs. The Authority shall develop methods to allow for an objective assessment of the FIUs reviewed and

also develop rules of procedure for the conduct of peer reviews.

Where relevant, the planning and conducting of peer reviews shall take due account of the evaluations, assessments and

reports drawn up by international organisations and intergovernmental bodies with competence in the field of preventing

and detecting money laundering, its predicate offences and terrorist financing.

2.

For the purposes of paragraph 1, the Authority shall set up a peer review team, which shall be composed of the staff

of the Authority and representatives of the FIUs participating in the peer review.

3.

The peer review of the activities of an FIU shall include an assessment of, but shall not be limited to, the following:

(a) the adequacy of the FIU’s resources, including human and technical and IT resources, to perform its functions;

(b) the measures implemented to ensure that the FIU has operational independence and autonomy and is not subject to

undue influence;

(c) the measures that the FIU has put in place to protect the security and confidentiality of information;

(d) the FIU’s function to receive suspicious transaction reports and other disclosures, including the number and nature of

disclosures received and their quality;

(e) the measures that the FIU has put in place to enhance the reporting of suspicious transactions by obliged entities, in

particular in relation to their quality;

(f) the FIU’s access to and use of additional information to enrich its analysis;

(g) the tools used by the FIU to carry out an analysis;

57/90

EN

OJ L, 19.6.2024

(h) the extent to which the FIU’s analysis and dissemination support the operational needs of authorities competent for the

investigation and prosecution of money laundering, its predicate offences and terrorist financing;

(i) domestic cooperation between the FIU and other competent authorities;

(j) cross-border cooperation between the FIU and FIUs from other Member States.

4.

The Authority shall produce a report setting out the results of the peer review. That peer review report shall be jointly

prepared by the staff of the Authority and the relevant staff of the FIUs involved in the peer review team, and shall be

adopted by the Executive Board, having received the observations of the General Board in FIU composition as to the

consistency of application of the methodology with other peer review reports. The report shall include good practices

identified and, where relevant, follow-up measures that are deemed appropriate, proportionate and necessary as a result of

the peer review. Those follow-up measures may be adopted in the form of guidelines and recommendations pursuant to

Article 54 and an opinion pursuant to Article 55. FIUs shall make every effort to comply with any guidelines and

recommendations issued in accordance with Article 54.

5.

The Authority shall publish the findings of the peer review on its website and submit an opinion to the Commission

where, having regard to the outcome of the peer review or to any other information acquired by the Authority in carrying

out its tasks, it considers that further harmonisation of Union rules applicable to FIUs would be necessary from the Union’s

perspective.

6.

The Authority shall provide a follow-up report two years after the publication of the peer review report. The

follow-up report shall be jointly prepared by the staff of the Authority and the relevant staff of the FIUs involved in the peer

review team, and shall be adopted by the Executive Board, having received the observations of the General Board in FIU

composition as to the consistency of application of the methodology with other peer review reports. The follow-up report

shall include an assessment of the adequacy and effectiveness of the actions undertaken by the FIUs that were subject to the

peer review in response to the follow-up measures of the peer review report. The Authority shall publish the findings of the

follow-up report on its website.

7.

For the purposes of this Article, the Executive Board shall adopt a peer review work plan every two years, which shall

reflect the lessons learnt from the past peer review processes and discussions held in the General Board in FIU composition.

The peer review work plan shall constitute a separate part of the annual and multiannual working programme and shall be

included in the single programming document. Every FIU shall participate in the peer reviews which concern it.

SECTION 7

Common instruments

Article 49

Regulatory technical standards

1.

Where the European Parliament and the Council delegate power to the Commission to adopt regulatory technical

standards by means of delegated acts pursuant to Article 290 TFEU in order to ensure consistent harmonisation in the areas

specifically set out in the legislative acts referred to in Article 1(2) of this Regulation, the Authority may develop draft

regulatory technical standards. The Authority shall submit its draft regulatory technical standards to the Commission for

adoption. At the same time, the Authority shall forward those draft regulatory technical standards for information to the

European Parliament and to the Council.

Regulatory technical standards shall be technical, shall not imply strategic decisions or policy choices and their content shall

be delimited by the legislative acts on which they are based.

Before submitting them to the Commission, the Authority shall conduct open public consultations on draft regulatory

technical standards and shall analyse the potential related costs and benefits, unless those consultations and analyses are

highly disproportionate to the scope and impact of the draft regulatory technical standards concerned or in relation to the

particular urgency of the matter.

58/90

EN

OJ L, 19.6.2024

Within three months of receipt of a draft regulatory technical standard, the Commission shall decide whether to adopt it.

The Commission shall inform the European Parliament and the Council in due time where the adoption cannot take place

within the three-month period. The Commission may adopt the draft regulatory technical standard in part only, or with

amendments, where the Union’s interests so require.

Where the Commission intends not to adopt a draft regulatory technical standard or to adopt it in part or with

amendments, it shall send the draft regulatory technical standard back to the Authority, explaining why it does not adopt it

or explaining the reasons for its amendments.

The Commission shall send a copy of its letter to the European Parliament and to the Council. Within a period of six weeks,

the Authority may amend the draft regulatory technical standard on the basis of the Commission’s proposed amendments

and resubmit it in the form of a formal opinion to the Commission. The Authority shall send a copy of its formal opinion

to the European Parliament and to the Council.

If, on the expiry of that six-week period, the Authority has not submitted an amended draft regulatory technical standard,

or has submitted a draft regulatory technical standard that is not amended in a way consistent with the Commission’s

proposed amendments, the Commission may adopt the regulatory technical standard with the amendments it considers

relevant, or reject it.

The Commission shall not change the content of a draft regulatory technical standard prepared by the Authority without

prior coordination with the Authority, as set out in this Article.

2.

Where the Authority has not submitted a draft regulatory technical standard within the time limit set out in the

legislative acts referred to in Article 1(2), the Commission may request such a draft within a new time limit. If the Authority

cannot comply with that new time limit, it shall inform the European Parliament, the Council and the Commission thereof

in due time.

3.

Only where the Authority does not submit a draft regulatory technical standard to the Commission within the time

limits in accordance with paragraph 2, may the Commission adopt a regulatory technical standard by means of a delegated

act without a draft from the Authority.

The Commission shall conduct open public consultations on draft regulatory technical standards and analyse the potential

related costs and benefits, unless such consultations and analyses are disproportionate to the scope and impact of the draft

regulatory technical standards concerned or in relation to the particular urgency of the matter.

The Commission shall immediately forward the draft regulatory technical standard to the European Parliament and the

Council.

The Commission shall send its draft regulatory technical standard to the Authority. Within a period of six weeks, the

Authority may amend the draft regulatory technical standard and submit it in the form of a formal opinion to the

Commission. The Authority shall send a copy of its formal opinion to the European Parliament and to the Council.

If on the expiry of the six-week period referred to in the fourth subparagraph, the Authority has not submitted an amended

draft regulatory technical standard, the Commission may adopt the regulatory technical standard.

If the Authority has submitted an amended draft regulatory technical standard within the six-week period, the Commission

may amend the draft regulatory technical standard on the basis of the Authority’s proposed amendments or adopt the

regulatory technical standard with the amendments it considers relevant. The Commission shall not change the content of

the draft regulatory technical standard prepared by the Authority without prior coordination with the Authority, as set out

in this Article.

4.

The regulatory technical standards shall be adopted by means of regulations or decisions. The words ‘regulatory

technical standard’ shall appear in the title of such regulations or decisions. Those standards shall be published in the Official

Journal of the European Union and shall enter into force on the date stated therein.

59/90

EN

OJ L, 19.6.2024

Article 50

Exercise of the delegation

1.

The power to adopt regulatory technical standards referred to in Article 49 shall be conferred on the Commission for

a period of four years from 26 June 2024. The Commission shall draw up a report in respect of the delegated power not

later than six months before the end of the four-year period. The delegation of power shall be automatically extended for

periods of an identical duration.

2.

As soon as it adopts a regulatory technical standard, the Commission shall notify it simultaneously to the European

Parliament and to the Council.

3.

The power to adopt regulatory technical standards is conferred on the Commission subject to the conditions laid

down in Articles 49, 51 and 52.

Article 51

Objections to regulatory technical standards

1.

The European Parliament or the Council may object to a regulatory technical standard within a period of three

months from the date of notification of the regulatory technical standard adopted by the Commission. At the initiative of

the European Parliament or the Council that period shall be extended by three months.

2.

If, on the expiry of the period referred to in paragraph 1, neither the European Parliament nor the Council has

objected to the regulatory technical standard, it shall be published in the Official Journal of the European Union and shall enter

into force on the date stated therein.

The regulatory technical standard may be published in the Official Journal of the European Union and enter into force before

the expiry of the period referred to in paragraph 1 if the European Parliament and the Council have both informed the

Commission of their intention not to raise objections.

3.

If either the European Parliament or the Council objects to a regulatory technical standard within the period referred

to in paragraph 1, it shall not enter into force. In accordance with Article 296 TFEU, the institution which objects shall state

the reasons for objecting to the regulatory technical standard.

Article 52

Non-endorsement or amendment of draft regulatory technical standards

1.

In the event that the Commission does not endorse a draft regulatory technical standard or amends it as provided for

in Article 49, the Commission shall inform the Authority, the European Parliament and the Council, stating its reasons.

2.

Where appropriate, the European Parliament or the Council may invite the responsible Commissioner, together with

the Chair of the Authority, within one month of the notice referred to in paragraph 1, for an ad hoc meeting of the

competent committee of the European Parliament or the Council to present and explain their differences.

Article 53

Implementing technical standards

1.

Where the European Parliament and the Council confer implementing powers on the Commission to adopt

implementing technical standards by means of implementing acts pursuant to Article 291 TFEU, in the areas specifically set

out in the legislative acts referred to in Article 1(2) of this Regulation, the Authority may develop draft implementing

technical standards. Implementing technical standards shall be technical, shall not imply strategic decisions or policy

choices and their content shall be to determine the conditions of application of those acts. The Authority shall submit its

draft implementing technical standards to the Commission for adoption. At the same time, the Authority shall forward

those technical standards for information to the European Parliament and to the Council.

60/90

EN

OJ L, 19.6.2024

Before submitting draft implementing technical standards to the Commission, the Authority shall conduct open public

consultations and shall analyse the potential related costs and benefits, unless such consultations and analyses are highly

disproportionate to the scope and impact of the draft implementing technical standards concerned or in relation to the

particular urgency of the matter.

Within three months of receipt of a draft implementing technical standard, the Commission shall decide whether to adopt

it. The Commission may extend that period by one month. The Commission shall inform the European Parliament and the

Council in due time where the adoption cannot take place within the three-month period. The Commission may adopt the

draft implementing technical standard in part only, or with amendments, where the Union’s interests so require.

Where the Commission intends not to adopt a draft implementing technical standard or intends to adopt it in part or with

amendments, it shall send it back to the Authority explaining why it does not intend to adopt it or explaining the reasons

for its amendments. The Commission shall send a copy of its letter to the European Parliament and to the Council. Within

a period of six weeks, the Authority may amend the draft implementing technical standard on the basis of the

Commission’s proposed amendments and resubmit it in the form of a formal opinion to the Commission. The Authority

shall send a copy of its formal opinion to the European Parliament and to the Council.

If, on the expiry of the six-week period referred to in the fourth subparagraph, the Authority has not submitted an amended

draft implementing technical standard, or has submitted a draft implementing technical standard that is not amended in

a way consistent with the Commission’s proposed amendments, the Commission may adopt the implementing technical

standard with the amendments it considers relevant or reject it.

The Commission shall not change the content of a draft implementing technical standard prepared by the Authority

without prior coordination with the Authority, as set out in this Article.

2.

Where the Authority has not submitted a draft implementing technical standard within the time limit set out in the

legislative acts referred to in Article 1(2), the Commission may request such a draft within a new time limit. If the Authority

cannot comply with that new time limit, it shall inform the European Parliament, the Council and the Commission thereof

in due time.

3.

Only where the Authority does not submit a draft implementing technical standard to the Commission within the

time limits in accordance with paragraph 2, may the Commission adopt an implementing technical standard by means of

an implementing act without a draft from the Authority.

The Commission shall conduct open public consultations on draft implementing technical standards and analyse the

potential related costs and benefits, unless such consultations and analyses are disproportionate to the scope and impact of

the draft implementing technical standards concerned or in relation to the particular urgency of the matter.

The Commission shall immediately forward the draft implementing technical standard to the European Parliament and the

Council.

The Commission shall send the draft implementing technical standard to the Authority. Within a period of six weeks, the

Authority may amend the draft implementing technical standard and submit it in the form of a formal opinion to the

Commission. The Authority shall send a copy of its formal opinion to the European Parliament and to the Council.

If, on the expiry of the six-week period referred to in the fourth subparagraph, the Authority has not submitted an amended

draft implementing technical standard, the Commission may adopt the implementing technical standard.

If the Authority has submitted an amended draft implementing technical standard within that six-week period, the

Commission may amend the draft implementing technical standard on the basis of the Authority’s proposed amendments

or adopt the implementing technical standard with the amendments it considers relevant.

The Commission shall not change the content of the draft implementing technical standards prepared by the Authority

without prior coordination with the Authority, as set out in this Article.

4.

The implementing technical standards shall be adopted by means of regulations or decisions. The words

‘implementing technical standard’ shall appear in the title of such regulations or decisions. Those standards shall be

published in the Official Journal of the European Union and shall enter into force on the date stated therein.

61/90

EN

OJ L, 19.6.2024

Article 54

Guidelines and recommendations

1.

The Authority shall, with a view to establishing consistent, efficient and effective supervisory and FIU-related

practices, and to ensuring the common, uniform and consistent application of Union law, issue guidelines and

recommendations addressed to supervisory authorities, supervisors, FIUs, or obliged entities.

2.

The Authority shall, where appropriate, conduct open public consultations regarding those guidelines and

recommendations and analyse the related potential costs and benefits. Those consultations and analyses shall be

proportionate to the scope, nature and impact of the guidelines or recommendations. Where the Authority does not

conduct open public consultations, the Authority shall provide its reasons and make them public.

3.

Supervisory authorities, supervisors, FIUs and obliged entities shall make every effort to comply with those guidelines

and recommendations.

Within two months of the issuance of a guideline or recommendation, each supervisory authority, supervisor or FIU shall

confirm whether it complies or intends to comply with that guideline or recommendation. In the event that a supervisory

authority, supervisor or FIU does not comply or does not intend to comply, it shall inform the Authority, stating its reasons.

The Authority shall publish the fact that a supervisory authority, supervisor or FIU does not comply or does not intend to

comply with that guideline or recommendation. The Authority may also decide, on a case-by-case basis, to publish the

reasons provided by the supervisory authority, supervisor or FIU for not complying with that guideline or

recommendation. The supervisory authority, supervisor or FIU shall receive advance notice of such publication.

If required by that guideline or recommendation, obliged entities shall report, in a clear and detailed way, whether they

comply with that guideline or recommendation.

4.

In the report referred to in Article 64(4), point (c), the Authority shall list the guidelines and recommendations that it

has issued.

5.

The guidelines and recommendations issued by the Authority shall replace the guidelines and recommendations

previously issued by the EBA or by supervisors and FIUs on the same subject. Provided that they are still relevant, the

guidelines and recommendations issued by the EBA, or by supervisors and FIUs pursuant to Directive (EU) 2015/849 of the

European Parliament and of the Council (⁴⁰) and Regulation (EU) 2023/1113 shall remain applicable until such time as the

new guidelines and recommendations issued by the Authority on the same subject start to apply. The Authority shall

provide for a suitable transition period for the application of the new guidelines and recommendations.

Article 55

Opinions and technical advice

1.

The Authority may, upon a request from the European Parliament, from the Council or from the Commission, or on

its own initiative, provide opinions to the European Parliament, the Council and the Commission on all issues related to its

area of competence.

2.

The request referred to in paragraph 1 may include a consultation with other relevant Union bodies where their

competence is concerned, a public consultation or a technical analysis.

3.

The Authority may, upon a request from the European Parliament, from the Council or from the Commission,

provide technical advice to the European Parliament, the Council and the Commission in the areas covered by the legislative

acts referred to in Article 1(2).

40

Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the

financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the

European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and

Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).

62/90

EN

OJ L, 19.6.2024

CHAPTER III

ORGANISATION OF THE AUTHORITY

Article 56

Administrative and management structure

The Authority’s structure shall comprise:

(a) a General Board, which shall exercise the tasks set out in Article 60;

(b) an Executive Board, which shall exercise the tasks set out in Article 64:

(c) a Chair of the Authority, who shall exercise the tasks set out in Article 69;

(d) an Executive Director, who shall exercise the tasks set out in Article 71;

(e) an Administrative Board of Review, which shall exercise the functions listed in Article 74.

SECTION 1

General board

Article 57

Composition of the General Board

1.

The General Board shall have either the supervisory composition laid down in paragraph 2 or the FIU composition

laid down in paragraph 3.

2.

The General Board in supervisory composition shall be composed of:

(a) the Chair of the Authority, with the right to vote;

(b) the heads of the supervisory authorities of obliged entities in each Member State, with the right to vote;

(c) one representative of the Commission, without the right to vote.

The heads of the supervisory authorities referred to in the first subparagraph, point (b), in each Member State shall share

a single vote and shall agree on a single common representative, which shall be either a permanent representative or an ad

hoc voting representative, for the purposes of each specific meeting or voting procedure. Where items to be discussed by

the General Board in supervisory composition concern the competence of several supervisory authorities, the single

common representative may be accompanied by a representative from up to two other supervisory authorities, without the

right to vote.

Each supervisory authority that has a voting member under an ad hoc or permanent agreement shall be responsible for

nominating a high-level alternate from its authority, who may replace the voting member of the General Board referred to

in the second subparagraph where that person is unable to attend.

3.

The General Board in FIU composition shall be composed of:

(a) the Chair of the Authority, with the right to vote;

(b) the heads of FIUs, with the right to vote;

(c) one representative of the Commission, without the right to vote.

Each FIU shall nominate a high-level alternate from its unit, who may replace the head of the FIU referred to in the first

subparagraph, point (b), where that person is unable to attend.

63/90

EN

OJ L, 19.6.2024

The General Board may decide to admit observers. In particular, the General Board in FIU composition may admit the

4.

representatives of OLAF, Europol, Eurojust and the EPPO as observers to meetings, where matters within the scope of their

respective mandates are discussed. The General Board in supervisory composition shall admit a representative nominated

by the Supervisory Board of the ECB and a representative of each of the ESAs as observers, where matters within the scope

of their respective mandates are discussed.

The circumstances under which the Union institution, bodies, offices and agencies listed in the first subparagraph are to be

invited to the meetings of the General Board shall be specified in the rules of procedure of the General Board and reflect an

agreement reached between the Authority and each of those observers.

Other observers may be admitted on an ad hoc basis if approved by a two-thirds majority of the voting members of the

General Board in the relevant composition.

5.

The Executive Board members may participate in the meetings of the General Board, whether in supervisory

composition or FIU composition, without the right to vote, where the items covered by their areas of responsibility as

determined by the Chair of the Authority and referred to in Article 66(2) are discussed.

Article 58

Delegation of tasks and decisions, and internal committees of the General Board

1.

The General Board, on its own initiative or at the request of the Chair of the Authority, may establish internal

committees for specific tasks attributed to it. The General Board may provide for the delegation of certain clearly defined

tasks and decisions to internal committees, to the Executive Board or to the Chair of the Authority. The General Board may

revoke such delegation at any time.

2.

Internal committees shall report to the General Board, for decision, all conclusions reached by them.

3.

(5).

The Executive Board members may participate in the meetings of internal committees in accordance with Article 57

4.

The General Board in FIU composition shall establish a standing committee composed of nine of its members or

representatives with adequate expertise from their respective national FIU, to support it in performing its tasks pursuant to

Article 60(3), including by submitting proposals and preparing draft decisions.

The standing committee shall have no decision-making powers. It shall execute its tasks in the interest of the Union as

a whole and shall work in full transparency with the General Board in FIU composition.

The General Board in FIU composition shall adopt the rules of procedure of the standing committee. The composition of

the standing committee shall ensure a fair balance and rotation between the members or representatives of national FIUs. Its

nine members shall be appointed by the General Board in FIU composition.

Article 59

Independence of the General Board

1.

When carrying out the tasks conferred upon them by this Regulation, the Chair of the Authority and the members of

the General Board in supervisory composition and in FIU composition shall act independently and in the general interest of

the Union as a whole and shall neither seek nor take instructions from Union institutions, bodies, offices or agencies, nor

from any government or any other public or private body.

2.

Member States, Union institutions, agencies, offices and bodies, and other public or private bodies shall not seek to

influence the members of the General Board in the performance of their tasks.

3.

In its rules of procedure, the General Board shall lay down practical arrangements for the prevention and management

of conflicts of interest.

64/90

EN

OJ L, 19.6.2024

Article 60

Tasks of the General Board

1.

The General Board in supervisory composition shall take the decisions relating to the tasks referred to in Articles 7 to

10 as well as any other decision which, pursuant to this Regulation, is to be taken by the General Board in supervisory

composition.

2.

The General Board in supervisory composition may provide its opinion on any draft decision prepared by the

Executive Board in relation to selected obliged entities, in accordance with Chapter II, Section 3, and Article 64(2).

The General Board in supervisory composition and the Executive Board shall jointly agree on, and adopt, the procedures

and timelines to be followed for the purpose of providing the opinion referred to in the first subparagraph.

3.

The General Board in FIU composition shall perform the tasks and adopt the decisions referred to in Article 5(5) and

Chapter II, Section 6.

4.

The General Board shall adopt the opinions, recommendations, guidelines and decisions of the Authority referred to

in Chapter II, Section 7, in the appropriate composition, having regard to the subject matter of the instrument. Where

a given instrument concerns both supervision-related matters and FIU-related matters, the General Board in supervisory

composition and the General Board in FIU composition shall each adopt separately those opinions, recommendations,

guidelines and decisions. The opinions, recommendations, and guidelines shall be adopted based on a proposal of the

relevant internal committee.

5.

The General Board shall vote on the draft regulatory technical standards referred to in Article 49 and the draft

implementing technical standards referred to in Article 53 and submit them to the Commission for adoption, in the

appropriate composition, having regard to the subject matter of the standards.

6.

The General Board in either composition shall be consulted on the draft decisions to be taken by the Executive Board

pursuant to Article 64(4), points (a), (c), (e) and (m). Where the subsequent decision taken by the Executive Board deviates

from the opinion of the General Board, the Executive Board shall provide the reasons thereof in writing.

7.

The General Board shall adopt its rules of procedure and make them public.

8.

Without prejudice to Article 63(3) and (4) and Article 68(1) and (2), the General Board shall exercise the powers

conferred by the Staff Regulations on the appointing authority and by the Conditions of Employment of Other Servants on

the authority empowered to conclude contracts of employment (‘the appointing authority powers’) with regard to the Chair

of the Authority and the five full-time members of the Executive Board, throughout their mandate.

Article 61

Voting rules of the General Board

1.

Decisions of the General Board shall be taken by a simple majority of its members. Each voting member as

determined by Article 57(2) and (3) shall have one vote. In the event of a tied vote, the Chair of the Authority shall have

a casting vote.

2.

By way of derogation from paragraph 1 of this Article, the General Board shall, with regard to the acts referred to in

Articles 49, 53, 54 and 55 of this Regulation, take decisions on the basis of a qualified majority of its members, as provided

for in Article 16(4) TEU.

The Chair of the Authority shall not vote on the decisions referred to in the first subparagraph of this paragraph, the

opinions referred to in Article 60(2) or the decisions related to the evaluation of the performance of the Executive Board

referred to in Article 63(5).

3.

The members without the right to vote and the observers shall not attend any discussions held within the General

Board in supervisory composition relating to individual obliged entities, unless otherwise provided for in the legislative acts

referred to in Article 1(2) or otherwise decided upon by the members with the right to vote.

4.

Paragraph 3 shall not apply to the Executive Board members and the ECB representative nominated by the

Supervisory Board of the ECB.

65/90

EN

OJ L, 19.6.2024

The Chair of the Authority shall have the prerogative to call a vote at any time. Without prejudice to that prerogative

5.

and to the effectiveness of the Authority’s decision-making procedures, the General Board shall strive for consensus when

taking its decisions.

Article 62

Meetings of the General Board

1.

2.

The Chair of the Authority shall convene the meetings of the General Board.

The General Board shall hold at least two ordinary meetings per year. In addition, it shall meet on the initiative of its

Chair, or at the request of at least one third of its members.

3.

The General Board may invite any person whose opinion may be of interest to attend its meetings as an observer.

4.

The members of the General Board and their alternates may, subject to its rules of procedure, be assisted at the

meetings by advisers or experts.

5.

The General Board shall be assisted by a secretariat provided by the Authority.

6.

The Chair of the Authority and the five full-time members of the Executive Board shall not attend meetings of the

General Board where matters concerning the performance of their mandate are discussed or decided upon.

SECTION 2

Executive board

Article 63

Composition and appointment of the Executive Board

1.

The Executive Board shall be composed of:

(a) the Chair of the Authority;

(b) five full-time members, including the Vice-Chair.

Where the Executive Board carries out the tasks referred to in Article 64(4), points (a) to (l), a representative of the

Commission shall be entitled to participate in the debates and shall only have access to the documents pertaining to those

tasks.

2.

The Executive Director shall participate in meetings of the Executive Board without the right to vote.

3.

Where the decisions referred to in Article 64(2) in relation to a selected obliged entity are deliberated upon, the

member of the General Board in supervisory composition from the Member State where the concerned selected obliged

entity is established may participate in the deliberations during the relevant meetings of the Executive Board.

That member of the General Board shall not be present during the vote following such deliberations.

4.

The Executive Board members referred to in paragraph 1, point (b), shall be selected on the basis of merit, skills,

knowledge, integrity, recognised standing and experience in the area of AML/CFT, and other relevant qualifications,

following an open selection procedure which shall be published in the Official Journal of the European Union.

The Commission shall prepare a shortlist of candidates for the position of the Executive Board members referred to in

paragraph 1, point (b). The European Parliament may conduct hearings of the candidates on that shortlist.

66/90

EN

OJ L, 19.6.2024

The General Board shall submit a proposal for the appointment of the Executive Board members referred to in paragraph 1,

point (b), to the European Parliament, based on the shortlist prepared by the Commission. Following the European

Parliament’s approval of that proposal, the Council shall adopt an implementing decision to appoint those Executive Board

members. The Council shall act by qualified majority.

Throughout the appointment process, the principles of gender and geographical balance shall be taken into account to the

extent possible.

5.

The term of office of the Executive Board members referred to in paragraph 1, point (b), shall be four years. In the

course of the 12 months preceding the end of their four-year term of office, the General Board in both compositions or

a smaller committee selected among General Board members, including a Commission representative, shall carry out an

assessment of those Executive Board members. The assessment shall take into account an evaluation of each Executive

Board member’s performance and the Authority’s future tasks and challenges. Based on the assessment, the General Board

in both compositions may propose to the European Parliament to extend their term of office. Such extension may be

granted only once. Following the European Parliament’s approval of the General Board’s proposal, the Council shall adopt

an implementing decision to extend the term of office of the Executive Board member or members concerned. The Council

shall act by qualified majority.

6.

The Executive Board members referred to in paragraph 1, point (b), shall act independently and objectively in the

interest of the Union as a whole and shall neither seek nor take instructions from Union institutions, bodies, offices or

agencies, or from any government or any other public or private body. The Union institutions, bodies, offices and agencies,

the governments of Member States and all other public or private bodies shall respect that independence.

7.

If an Executive Board member referred to in paragraph 1, point (b), no longer fulfils the conditions required for the

performance of that member’s duties or has been guilty of serious misconduct, the Council may, acting on its own initiative

or following a proposal by the European Parliament or the General Board in either composition, adopt an implementing

decision to remove that member of the Executive Board from office. The Council shall act by qualified majority.

8.

During a period of 18 months after ceasing to hold office, the former Executive Board members, including the Chair

and Vice-Chair of the Authority, shall be prohibited from engaging in a gainful occupational activity with:

(a) a selected obliged entity;

(b) any other entity, where doing so would or could lead to a conflict with the legitimate interests of the Authority.

In its rules for the prevention and management of conflicts of interest in respect of its members, referred to in Article 64(4),

point (e), the Executive Board shall specify the circumstances under which such a conflict of interest exists or could be

perceived to exist.

Article 64

Tasks of the Executive Board

1.

The Executive Board shall be responsible for the overall planning and execution of the tasks conferred on the

Authority pursuant to Article 5. The Executive Board shall adopt all decisions of the Authority with the exception of the

decisions that are to be taken by the General Board in accordance with Article 60.

2.

The Executive Board shall adopt the decisions addressed to selected obliged entities for the purposes of the exercise of

the powers referred to in Article 6(1), taking into account the proposal of the selected obliged entity’s joint supervisory

team referred to in Article 16, the proposal of the independent investigatory team referred to in Article 27, and the opinion

provided by the General Board on that proposed decision pursuant to Article 60(2). Where the Executive Board decides to

deviate from such an opinion, it shall provide detailed reasons thereof in writing.

3.

The Executive Board shall adopt the decisions addressed to individual public authorities pursuant to Articles 14, 30,

and 32 to 36.

4.

In addition, the Executive Board shall have the following tasks:

67/90

EN

OJ L, 19.6.2024

(a) adopt, by 30 November of each year, on the basis of a proposal by the Executive Director, the draft single programming

document in accordance with Article 65, and transmit it, for information to the European Parliament, the Council and

the Commission by 31 January of the following year, as well as adopt and transmit any other updated version of the

document;

(b) adopt the draft annual budget of the Authority and exercise other functions in respect of the Authority’s budget;

(c) assess and adopt a consolidated annual report on the Authority’s activities, including an overview of the fulfilment of

its tasks, transmit it, by 1 July of each year, to the European Parliament, the Council, the Commission and the Court of

Auditors, and make it public;

(d) adopt an anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the measures to

be implemented;

(e) adopt rules for the prevention and management of conflicts of interest in respect of its members, as well as the

members of the Administrative Board of Review;

(f) adopt its rules of procedure;

(g) exercise, with respect to the staff of the Authority, the appointing authority powers;

(h) adopt appropriate implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of

Other Servants in accordance with Article 110(2) of the Staff Regulations;

(i) appoint the Executive Director and remove him or her from office in accordance with Article 70(5);

(j) appoint an accounting officer, who may be the Commission’s accounting officer, subject to the Staff Regulations and

the Conditions of Employment of Other Servants, who shall be fully independent in the performance of his or her

duties;

(k) ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and

evaluations, as well as from investigations of OLAF;

(l) adopt the financial rules applicable to the Authority;

(m) take all decisions on the establishment of the Authority’s internal structures and, where necessary, on their

modification.

5.

The Executive Board shall select a Vice-Chair of the Authority from among its voting members. The Vice-Chair shall

automatically replace the Chair of the Authority if the Chair is unable to attend to his or her duties.

6.

With respect to the powers referred to in paragraph 4, point (h), of this Article, the Executive Board shall adopt, in

accordance with Article 110(2) of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and

Article 6 of the Conditions of Employment of Other Servants, delegating relevant appointing authority powers to the

Executive Director. The Executive Director shall be authorised to sub-delegate those powers.

7.

In exceptional circumstances, the Executive Board may, by way of a decision, temporarily suspend the delegation of

the appointing authority powers to the Executive Director and any sub-delegation by the Executive Director and exercise

them itself or delegate them to one of its members or to a staff member other than the Executive Director.

Article 65

Annual and multiannual programming

1.

By 30 November of each year, the Executive Board shall adopt a single programming document containing

a multiannual work programme and an annual work programme, based on a draft put forward by the Executive Director,

taking into account the opinion of the Commission and — regarding the multiannual work programme — after consulting

the European Parliament. If the Executive Board decides not to take into account any elements of the opinion of the

68/90

EN

OJ L, 19.6.2024

Commission, it shall provide a thorough justification for that decision. The obligation to provide a thorough justification

shall also apply to any elements raised by the European Parliament when it is consulted. The Executive Board shall forward

the single programming document to the European Parliament, the Council and the Commission.

The single programming document shall become final after the final adoption of the general budget and shall, if necessary,

be adjusted accordingly.

2.

The annual work programme shall comprise detailed objectives and expected results, including performance

indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human

resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The

annual work programme shall be coherent with the multiannual work programme. It shall clearly indicate which tasks have

been added, changed or deleted in comparison with the previous financial year.

3.

The Executive Board shall amend the adopted annual work programme when a new task is given to the Authority.

Any substantial amendment to the annual work programme shall be adopted by the same procedure as the initial annual

work programme. The Executive Board may delegate the power to make non-substantial amendments to the annual work

programme to the Executive Director.

4.

The multiannual work programme shall set out overall strategic programming including objectives, expected results

and performance indicators. It shall also set out resource programming including multiannual budget and staff.

The resource programming shall be updated annually. The strategic programming shall be updated where appropriate.

Article 66

Voting rules of the Executive Board

1.

The Executive Board shall take decisions by a simple majority of its members. Each member of the Executive Board

shall have one vote. The Chair of the Authority, or the Vice-Chair when replacing the Chair, shall have a casting vote in the

event of a tied vote.

2.

A representative of the Commission shall have a right to vote whenever matters pertaining to Article 64(4), points (a)

to (l), are discussed and decided upon.

3.

The Executive Board’s rules of procedure shall establish more detailed voting arrangements, in particular the

circumstances in which a member can act on behalf of another member.

Article 67

Fundamental Rights Officer

1.

The Executive Board shall, upon a proposal of the Executive Director, designate a Fundamental Rights Officer. The

Fundamental Rights Officer may be a member of the existing staff of the Authority.

2.

The Fundamental Rights Officer shall perform the following tasks:

(a) advise the staff of the Authority on any activity carried out by the Authority, where the Officer deems it necessary or

where requested by the staff without impeding or delaying those activities;

(b) promote and monitor the Authority’s compliance with fundamental rights;

(c) provide non-binding opinions on the compliance of the Authority’s activities with fundamental rights;

(d) inform the Executive Director and the Executive Board about possible violations of fundamental rights in the course of

the Authority’s activities.

3.

The Executive Board shall ensure that the Fundamental Rights Officer does not seek or take any instructions regarding

the exercise of the Officer’s tasks.

69/90

EN

OJ L, 19.6.2024

4.

The Fundamental Rights Officer shall report directly to the Executive Director and prepare regular reports on the

performance of the tasks referred to in paragraph 2. Those reports shall be made available to the Executive Board.

SECTION 3

The Chair of the Authority

Article 68

Appointment of the Chair of the Authority

1.

The Chair of the Authority shall be selected on the basis of merit, skills, knowledge, integrity, recognised standing and

experience in the area of AML/CFT and other relevant qualifications, following an open selection procedure which shall be

published in the Official Journal of the European Union. The European Parliament, the Council and the General Board shall be

kept duly informed at every stage of that procedure in a timely manner.

The Commission shall prepare a shortlist of at least two qualified candidates for the position of the Chair of the Authority.

The European Parliament and the General Board may conduct hearings of the candidates on that shortlist. The General

Board may issue a public opinion on the results of its hearings, or address its opinion to the European Parliament, the

Council and the Commission.

The Commission shall submit a proposal for the appointment of the Chair of the Authority to the European Parliament.

Following the European Parliament’s approval of that proposal, the Council shall adopt an implementing decision to

appoint the Chair of the Authority. The Council shall act by qualified majority.

By way of derogation from the second subparagraph, for the appointment of the first Chair of the Authority following the

entry into force of this Regulation, the Commission shall make a proposal for the appointment of the Chair without the

involvement of the General Board.

2.

The Chair of the Authority shall act independently and objectively in the interest of the Union as a whole and shall

neither seek nor take instructions from the Union institutions, bodies, offices or agencies nor from any government or from

any other public or private body. The Union institutions, bodies, offices and agencies, the governments of the Member

States and all other public or private bodies shall respect that independence.

3.

The term of office of the Chair of the Authority shall be four years. In the course of the 12 months preceding the end

of the Chair’s four-year term of office, the General Board in both compositions or a smaller committee selected among

General Board members including a Commission representative shall carry out an assessment of the Chair. The assessment

shall take into account an evaluation of the Chair’s performance and the Authority’s future tasks and challenges. Based on

the assessment, the Commission may propose to the European Parliament to extend the Chair’s term of office. Such an

extension may be granted only once. Following the European Parliament's approval of the Commission’s proposal, the

Council shall adopt an implementing decision to extend the term of office of the Chair of the Authority. The Council shall

act by qualified majority.

4.

If the Chair of the Authority no longer fulfils the conditions required for the performance of his or her duties or has

been guilty of serious misconduct, the Council may, acting on its own initiative, or following a proposal by the European

Parliament or the General Board in either composition, adopt an implementing decision to remove the Chair of the

Authority from office. The Council shall act by qualified majority.

5.

If the Chair of the Authority resigns or is unable to attend to his or her duties for any other reason, the functions of

the Chair shall be performed by the Vice-Chair.

Article 69

Responsibilities of the Chair of the Authority

1.

The Chair of the Authority shall represent the Authority and shall be responsible for preparing the work of the

General Board and the Executive Board, including setting the agenda, convening and chairing all the meetings and tabling

items for decision.

70/90

EN

OJ L, 19.6.2024

2.

The Chair of the Authority shall assign to the members of the Executive Board referred to in Article 63(1), point (b),

specific areas of responsibility, within the scope of tasks of the Authority, for the duration of their mandate.

SECTION 4

The Executive Director

Article 70

Appointment of the Executive Director

1.

The Executive Director shall be engaged as a temporary agent of the Authority under Article 2, point (a), of the

Conditions of Employment of Other Servants.

2.

The Executive Director shall perform his or her duties in the interest of the Union, and independently of any specific

interests.

3.

The Executive Director shall manage the Authority. The Executive Director shall be accountable to the Executive

Board. Without prejudice to the powers of the Commission and of the Executive Board, the Executive Director shall be

independent in the performance of his or her duties and shall neither seek nor take instructions from any Union

institutions, bodies, offices or agencies, nor from any government or from any other public and private body.

4.

The Executive Director shall be selected on the grounds of merit and documented high-level administrative, budgetary

and management skills, following an open selection procedure which shall be published in the Official Journal of the European

Union and, as appropriate, other press or internet sites. The Commission shall draw up a shortlist of at least two qualified

candidates for the position of Executive Director. The Executive Board shall appoint the Executive Director.

5.

The term of office of the Executive Director shall be five years. In the course of the nine months preceding the end of

the Executive Director’s term of office, the Executive Board shall undertake an assessment that takes into account an

evaluation of the Executive Director’s performance and the Authority’s future tasks and challenges. The Executive Board,

taking into account the evaluation, may extend the term of office of the Executive Director once.

The Executive Director may be removed from office by the Executive Board on the proposal of the Commission.

6.

An Executive Director whose term of office has been extended shall not participate in another selection procedure for

the same post at the end of the extended term of office.

Article 71

Tasks of the Executive Director

1.

The Executive Director shall be responsible for the day-to-day management of the Authority and shall aim to ensure

gender and, to the extent possible, geographical balance within the Authority. In particular, the Executive Director shall be

responsible for:

(a) implementing decisions adopted by the Executive Board;

(b) preparing the draft single programming document and submitting it to the Executive Board after consulting the

Commission;

(c) implementing the single programming document and reporting to the Executive Board on its implementation;

(d) preparing the draft consolidated annual report on the Authority’s activities and presenting it to the Executive Board for

assessment and adoption;

(e) preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as

investigations by OLAF, and regularly reporting on progress to the Commission, the General Board and the Executive

Board;

71/90

EN

OJ L, 19.6.2024

(f) protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other

illegal activities, without prejudicing the investigative competence of OLAF, by effective checks and, if irregularities are

detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and

dissuasive administrative penalties, including financial penalties;

(g) preparing an anti-fraud strategy for the Authority and presenting it to the Executive Board for approval;

(h) preparing draft financial rules applicable to the Authority;

(i) preparing, as part of the draft single programming document, the Authority’s draft statement of estimates of revenue

and expenditure pursuant to Article 78 and implementing its budget pursuant to Article 79;

(j) preparing and implementing an IT security strategy, ensuring appropriate risk management for all IT infrastructure,

systems and services, which are developed or procured by the Authority as well as sufficient IT security funding;

(k) implementing the annual work programme of the Authority under the control of the Executive Board;

(l) preparing a draft report describing all activities of the Authority, with a section on financial and administrative matters.

2.

The Executive Director shall take other necessary measures, notably the adoption of internal administrative

instructions and the publication of notices, to ensure the functioning of the Authority, in accordance with this Regulation.

3.

The Executive Director shall decide whether it is necessary to locate one or more staff members in one or more other

Member States for the purpose of carrying out the Authority’s tasks in an efficient and effective manner. Before deciding to

establish a local office, the Executive Director shall obtain the prior consent of the Commission, the Executive Board and

any Member State concerned. The decision shall specify the scope of the activities to be carried out at the local office in

a manner that avoids unnecessary costs and duplication of administrative functions of the Authority. An agreement with

the Member State or Member States concerned shall be concluded accordingly.

SECTION 5

Administrative Board of Review

Article 72

Establishment and composition of the Administrative Board of Review

1.

The Authority shall establish an Administrative Board of Review for the purposes of carrying out an internal

administrative review of the decisions taken by the Authority in the exercise of the powers listed in Articles 21, 22, 23 and

77. The scope of the internal administrative review shall pertain to the procedural and substantive conformity of such

decisions with this Regulation.

2.

The Administrative Board of Review shall be composed of five individuals of high repute, having a proven record of

relevant knowledge and professional experience, including supervisory experience in the area of AML/CFT, excluding

current staff of the Authority, as well as current staff of AML/CFT supervisory authorities and FIUs or other national or

Union institutions, bodies, offices and agencies who are involved in the carrying out of the tasks conferred on the Authority

by this Regulation. The Administrative Board of Review shall have sufficient resources and expertise to assess the exercise of

the powers of the Authority under this Regulation.

3.

The Administrative Board of Review shall decide on the basis of a majority of at least three of its five members.

72/90

EN

OJ L, 19.6.2024

Article 73

Members of the Administrative Board of Review

1.

The members of the Administrative Board of Review and two alternates shall be appointed by the General Board in

supervisory composition for a term of five years, which may be extended once, following a public call for expressions of

interest published in the Official Journal of the European Union. They shall not be bound by any instructions.

2.

The members of the Administrative Board of Review shall act independently and in the public interest and shall not

perform any other duties within the Authority. For that purpose, they shall make a public declaration of commitments and

of interests indicating any direct or indirect interest which might be considered prejudicial to their independence or the

absence of any such interest.

Article 74

Decisions subject to review

1.

A request for review may be brought before the Administrative Board of Review against decisions taken by the

Authority pursuant to Article 6(1) and Articles 21, 22, 23 and 77 by any natural or legal person to whom the decision is

addressed, or to whom it is of direct and individual concern.

2.

Any request for review shall be made in writing, including a statement of grounds, and shall be lodged with the

Authority within one month of the date of notification of the decision to the person requesting the review, or, in the

absence thereof, of the day on which it came to the knowledge of the person requesting the review.

3.

After ruling on the admissibility of the request for review, the Administrative Board of Review shall express an

opinion within a period appropriate to the urgency of the matter and in any event no later than two months from the

receipt of the request, and remit the case for preparation of a new decision to the Executive Board. The Executive Board

shall take into account the opinion of the Administrative Board of Review and shall promptly adopt a new decision. The

new decision shall abrogate the initial decision and replace it with either a decision of identical content or an amended

decision.

4.

A request for review pursuant to paragraph 2 may include a request to suspend the application of the decision subject

to review proceedings. The Administrative Board of Review may, if it considers that the circumstances so require and taking

into account the view of the Executive Board, order that application of the decision in question be suspended until the

Executive Board adopts a new decision pursuant to paragraph 3. If the Administrative Board of Review does not decide on

the request for suspension within 14 days, that request shall be deemed to be rejected.

5.

The opinion expressed by the Administrative Board of Review, and the new decision adopted by the Executive Board

pursuant to this Article, shall be reasoned and notified to the parties.

6.

1.

The Authority shall adopt a decision establishing the Administrative Board of Review’s rules of procedure.

Article 75

Exclusion and objection

The members of the Administrative Board of Review shall not take part in any review proceedings if they have any

personal interest in the proceedings, if they have previously been involved as representatives of one of the parties to the

proceedings, or if they participated in the adoption of the decision under review.

2.

If, for one of the reasons listed in paragraph 1 or for any other reason, a member of the Administrative Board of

Review considers that he or she is not to take part in a review proceeding, he or she shall inform the Administrative Board

of Review accordingly.

73/90

EN

OJ L, 19.6.2024

Any party to the review proceedings may object to any member of the Administrative Board of Review on any of the

3.

grounds listed in paragraph 1, or if the member is suspected of partiality. Any such objection shall not be admissible if the

party to the review proceedings, while being aware of a ground for objecting, has taken a procedural step. No objection

shall be permitted to be made based on the nationality of members.

4.

The Administrative Board of Review shall decide on the action to be taken in the cases referred to in paragraphs 2 and

3 without the participation of the member concerned. For the purposes of taking that decision, the member concerned

shall be replaced on the Administrative Board of Review by his or her alternate.

CHAPTER IV

FINANCIAL PROVISIONS

Article 76

Budget

1.

Estimates of all revenue and expenditure for the Authority shall be prepared each financial year, corresponding to the

calendar year, and shall be shown in the Authority’s budget.

2.

3.

The Authority’s budget shall be balanced in terms of revenue and expenditure.

Without prejudice to other resources, the Authority’s revenue shall consist of a combination of the following:

(a) a contribution from the Union entered in the general budget of the Union;

(b) the fees paid by the selected and non-selected obliged entities in accordance with Article 77, for the tasks mentioned in

Article 5(2), points (a), (b) and (c), and Article 5(3), points (a) to (d), (f) and (g);

(c) any voluntary financial contribution from the Member States;

(d) agreed charges for publications, and for training and any other services provided by the Authority where they have been

specifically requested by one or more FIUs or their counterparts in third countries or by non-AML/CFT authorities;

(e) possible Union funding in the form of contribution agreements or ad hoc grants in accordance with the Authority’s

financial rules referred to in Article 81 and with the provisions of the relevant instruments supporting the policies of

the Union.

The amount and origin of any revenue referred to in the first subparagraph, points (b), (c), (d) and (e), of this paragraph shall

be included in the annual accounts of the Authority and clearly detailed in the annual report on the Authority’s budgetary

and financial management referred to in Article 80(2).

4.

The expenditure of the Authority shall include staff remuneration, administrative and infrastructure expenses and

operating costs.

Article 77

Fees levied on selected and non-selected obliged entities

1.

The Authority shall levy an annual supervisory fee on all selected obliged entities referred to in Article 13 and on the

non-selected obliged entities that meet the criteria set out in Article 12(1). The fees shall cover expenditure incurred by the

Authority in relation to the tasks related to supervision and referred to in Chapter II, Sections 3 and 4. Those fees shall not

exceed the expenditure relating to those tasks. Where those criteria are not fully respected in any given year, the necessary

adjustments shall be made when calculating the fees for the two following years.

2.

The amount of the fee levied on each obliged entity referred to in paragraph 1 shall be calculated in accordance with

the arrangements established in the delegated act referred to in paragraph 6.

74/90

EN

OJ L, 19.6.2024

3.

The fees shall be calculated at the highest level of consolidation in the Union in accordance with applicable

accounting standards.

4.

The basis for calculating the annual supervisory fee for a given calendar year shall be the expenditure relating to the

direct and indirect supervision of the selected and non-selected obliged entities subject to fees in that year. The Authority

may require advance payments in respect of the annual supervisory fee, which shall be based on a reasonable estimate. The

Authority shall communicate with the relevant financial supervisor before deciding on the final fee level so as to ensure that

supervision remains cost-effective and reasonable for all obliged entities in the financial sector. The Authority shall

communicate to the obliged entities concerned the basis for the calculation of the annual supervisory fee. Member States

shall ensure that the obligation to pay the fees specified in this Article is enforceable under national law, and that due fees

are fully paid.

5.

This Article is without prejudice to the right of financial supervisors to levy fees in accordance with national law, to

the extent supervisory tasks have not been conferred on the Authority, or in respect of costs of cooperating with and

assisting the Authority and acting on its instructions, in accordance with applicable Union law.

6.

The Commission is empowered to adopt a delegated act in accordance with Article 100 to supplement this

Regulation by specifying the methodology for calculating the amount of the fee levied on each selected and non-selected

obliged entity subject to fees in accordance with paragraph 1 of this Article, and the procedure for collecting those fees.

When developing the methodology for determining the individual amount of fees, the Commission shall take into account

the following:

(a) the total annual turnover or the corresponding type of income of the obliged entities at the highest level of

consolidation in the Union in accordance with applicable accounting standards;

(b) whether the obliged entity has qualified for direct supervision;

(c) the ML/TF risk profile classification of the obliged entities in accordance with the methodology referred to in Article 12

(7), point (b);

(d) the importance of the obliged entity to the stability of the financial system or to the economy of one or more Member

States or of the Union;

(e) that the amount of the fee to be collected from non-selected obliged entities in proportion to their income or turnover

referred to in point (a) shall not exceed 20 % of the amount of the fee to be collected from selected obliged entities with

the same level of income or turnover.

The Commission shall adopt the delegated acts referred to in the first subparagraph by 1 January 2027.

Article 78

Establishment of the budget

1.

Each year, the Executive Director shall draw up a draft statement of estimates of the Authority’s revenue and

expenditure for the following financial year, including the establishment plan, and send it to the Executive Board.

2.

The Executive Board shall, on the basis of that draft, adopt a provisional draft estimate of the Authority’s revenue and

expenditure for the following financial year.

3.

The final draft estimate of the Authority’s revenue and expenditure shall be sent to the Commission by 31 January of

each year.

4.

The Commission shall send the statement of estimates to the budgetary authority together with the draft general

budget of the Union.

5.

On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union the

estimates it considers necessary for the establishment plan and the amount of the subsidy to be charged to the general

budget, which it shall place before the budgetary authority in accordance with Articles 313 and 314 TFEU.

6.

7.

The budgetary authority shall authorise the appropriations for the contribution to the Authority.

The budgetary authority shall adopt the Authority’s establishment plan.

75/90

EN

OJ L, 19.6.2024

8.

The Authority’s budget shall be adopted by the Executive Board. It shall become final following the final adoption of

the general budget of the Union. Where necessary, it shall be adjusted accordingly.

Article 79

Implementation of the budget

1.

The Executive Director shall implement the Authority’s budget, respecting the principles of economy, efficiency,

effectiveness and sound financial management.

2.

Each year, the Executive Director shall send to the budgetary authority all information relevant to the findings of

evaluation procedures.

Article 80

Presentation of accounts and discharge

1.

The Authority’s accounting officer shall send the provisional accounts for the financial year (year N) to the

Commission’s accounting officer and to the Court of Auditors by 1 March of the following year (year N+1).

2.

By 31 March of year N+1, the Authority shall send the annual report on its budgetary and financial management to

the European Parliament, the Council and the Court of Auditors.

3.

By 31 March of year N+1, the Commission’s accounting officer shall send the Authority’s provisional accounts,

consolidated with the Commission’s accounts, to the Court of Auditors.

4.

On receipt of the Court of Auditors’ observations on the Authority’s provisional accounts pursuant to Article 246 of

Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (⁴¹), the Executive Board shall deliver

an opinion on the Authority’s final accounts.

The Executive Director shall send the Court of Auditors a reply to its observations by 30 September of year N+1. The

Executive Director shall also send this reply to the Executive Board.

5.

The Authority’s accounting officer shall, by 1 July of year N+1, send the final accounts, to the European Parliament,

the Council, the Commission and the Court of Auditors, together with the Executive Board’s opinion.

6.

A link to the pages of the website containing the final accounts of the Authority shall be published in the Official

Journal of the European Union by 15 November of year N+1.

7.

The Executive Director shall submit to the European Parliament, at the request of the European Parliament, any

information required for the smooth application of the discharge procedure for the financial year concerned, in accordance

with Article 261(3) of Regulation (EU, Euratom) 2018/1046.

8.

On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May

of year N+2, give a discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 81

Financial rules

The financial rules applicable to the Authority shall be adopted by the Executive Board after consulting the Commission.

They shall not depart from Delegated Regulation (EU) 2019/715 unless such a departure is specifically required for the

Authority’s operation and the Commission has given its prior consent.

41

Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules

applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013,

(EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision

No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).

76/90

EN

OJ L, 19.6.2024

Article 82

Anti-fraud measures

1.

For the purposes of combating fraud, corruption and any other illegal activity, Regulation (EU, Euratom) No 883/2013

as well as Article 86 of Delegated Regulation (EU) 2019/715 shall apply to the Authority without any restriction.

2.

The Authority shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the

Council and the Commission concerning internal investigations by the European Anti-fraud Office (OLAF) (⁴²) and shall

immediately adopt appropriate provisions for all staff of the Authority.

3.

The funding decisions, the agreements and the implementing instruments resulting from them shall expressly provide

that the Court of Auditors and OLAF may, where necessary, carry out on-the-spot checks on the beneficiaries of monies

disbursed by the Authority.

Article 83

IT security

1.

The Authority shall establish an internal IT governance at the level of the Executive Director which establishes and

manages the IT budget and ensures regular reporting to the Executive Board on compliance with applicable IT security rules

and standards.

2.

The Authority shall ensure that a sufficient share of its IT expenditure is transparently allocated to direct IT security.

The contribution to the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) may be

counted in that share.

3.

An adequate IT security monitoring, detection and response service shall be established, using the services of

CERT-EU. Major incidents shall be reported to CERT-EU and to the Commission within 24 hours of detection.

Article 84

Accountability and reporting

1.

The Authority shall be accountable to the European Parliament and to the Council for the implementation of this

Regulation.

2.

The Authority shall submit on an annual basis to the European Parliament, to the Council and to the Commission

a report on the execution of the tasks conferred on it by this Regulation, including information on the planned evolution of

the structure and amount of the supervisory fees referred to in Article 77. With respect to the guidelines and

recommendations that the Authority has issued in accordance with Article 54, the report shall contain information on

compliance with the guidelines and recommendations issued over the year covered by the report as well as any relevant

updates on compliance with previously issued guidelines and recommendations. The report shall be made public and shall

include any other relevant information requested by the European Parliament on an ad hoc basis. The Chair of the

Authority shall present that report in public to the European Parliament.

3.

At the request of the European Parliament, the Chair of the Authority shall participate in a hearing on the execution

of its tasks by the competent committees of the European Parliament. A hearing shall take place at least annually. At the

request of the European Parliament, the Chair of the Authority shall make a statement before the relevant committees of the

European Parliament and answer any questions from their members, whenever so requested.

4.

Within six weeks of each meeting of the General Board, the Authority shall at least provide the European Parliament

with a comprehensive and meaningful record of the proceedings of that meeting that enables an understanding of the

discussions held within that meeting, including an annotated list of decisions. Such record shall not reflect discussions

within the General Board relating to individual obliged entities or discussions relating to confidential supervisory or

FIU-related data, unless otherwise provided for in the legislative acts referred to in Article 1(2).

42

OJ L 136, 31.5.1999, p. 15.

77/90

EN

OJ L, 19.6.2024

5.

The Authority shall reply orally or in writing to questions put to it by the European Parliament within five weeks of

their receipt.

6.

Upon request, the Chair of the Authority shall hold confidential oral discussions behind closed doors with the

competent committees of the European Parliament, where such discussions are required for the exercise of the European

Parliament’s powers under the Treaties. All participants shall respect the requirements of professional secrecy.

7.

When informing the European Parliament on matters pertaining to the Authorities’ contribution to the action of the

Union in international fora, the Authority shall not disclose any information it received in the performance of that task

where such information is subject to confidentiality requirements imposed by third parties.

CHAPTER V

STAFF AND COOPERATION

SECTION 1

Staff

Article 85

General provision

1.

The Staff Regulations and the Conditions of Employment of Other Servants as well as the rules adopted by agreement

between the institutions of the Union for giving effect to those Staff Regulations and Conditions of Employment of Other

Servants shall apply to the staff of the Authority for all matters not covered by this Regulation.

2.

By way of derogation from paragraph 1 of this Article, the Chair of the Authority and the Executive Board members

referred to in Article 63(1), point (b), shall be on a par with, respectively, a Member and the Registrar of the General Court

regarding emoluments and pensionable age, as defined in Council Regulation (EU) 2016/300 (⁴³). For aspects not covered

by this Regulation or by Regulation (EU) 2016/300, the Staff Regulations and the Conditions of Employment of Other

Servants shall apply by analogy.

3.

The Executive Board, in agreement with the Commission, shall adopt the necessary implementing measures in

accordance with the arrangements provided for in Article 110 of the Staff Regulations.

4.

The Authority may make use of seconded national experts or other staff not employed by the Authority including FIU

delegates.

5.

The Executive Board shall adopt rules regarding staff from Member States to be seconded to the Authority and update

them as necessary. Those rules shall include, in particular, the financial arrangements related to those secondments,

including insurance and training. Those rules shall take into account the fact that the members of staff are seconded and are

to be deployed as staff of the Authority. They shall include provisions on the conditions of deployment. Where relevant, the

Executive Board shall aim to ensure consistency with the rules applicable to reimbursement of the mission expenses of the

statutory staff.

Article 86

Privileges and immunities

Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU, shall apply to

the Authority and its staff.

43

Council Regulation (EU) 2016/300 of 29 February 2016 determining the emoluments of EU high-level public office holders (OJ

L 58, 4.3.2016, p. 1).

78/90

EN

OJ L, 19.6.2024

Article 87

Staff of the Authority previously employed by the EBA

Temporary agents employed under Article 2, point (f), and contract agents employed under Article 3a of the Conditions of

Employment of Other Servants, employed at the Authority by a contract concluded before 1 January 2026, and who

immediately prior to their employment at the Authority have been employed by the EBA in carrying out the

AML/CFT-related tasks and activities of the EBA listed in Regulation (EU) No 1093/2010, shall be offered the same type of

employment contract at the Authority as at the EBA and under the same conditions, subject to the limit on the number of

posts that are to be deducted from EBA and allocated to the Authority. Those agents shall be deemed to have served their

entire service at the Authority.

Article 88

Obligation of professional secrecy

1.

Members of the General Board and the Executive Board, and all members of staff of the Authority, including officials

seconded by Member States on a temporary basis, as well as all other persons carrying out tasks for the Authority on

a contractual basis, shall be subject to the requirements of professional secrecy pursuant to Article 339 TFEU and Article 67

of Directive (EU) 2024/1640, including after their duties have ceased.

2.

The Executive Board shall ensure that individuals who provide any service, directly or indirectly, permanently or

occasionally, relating to the tasks of the Authority, including officials and other persons authorised by the Executive Board

or appointed by the public authorities and FIUs for that purpose, are subject to requirements of professional secrecy

equivalent to those provided for in paragraph 1.

3.

For the purpose of carrying out the tasks conferred on it by this Regulation, the Authority shall be authorised, within

the limits and under the conditions set out in the acts referred to in Article 1(2), to exchange information with Union or

national authorities and bodies in the cases where those acts allow financial supervisors to disclose information to those

entities or where Member States can provide for such disclosure under the applicable Union law.

4.

The Authority shall establish practical arrangements for implementing the confidentiality rules referred to in

paragraphs 1 and 2.

5.

The Authority shall apply Commission Decision (EU, Euratom) 2015/444 (⁴⁴).

Article 89

Security rules on the protection of classified and sensitive non-classified information

1.

The Authority shall adopt its own security rules equivalent to the Commission’s security rules for protecting

European Union Classified Information (EUCI) and sensitive non-classified information, as set out in Commission Decision

(EU, Euratom) 2015/443 (⁴⁵) and Decision (EU, Euratom) 2015/444. The security rules of the Authority shall cover, inter

alia, provisions for the exchange, processing and storage of such information. The Executive Board shall adopt the

Authority’s security rules following approval by the Commission.

2.

Any administrative arrangement on the exchange of classified information with the relevant authorities of a third

country or, in the absence of such arrangement, any exceptional ad hoc release of EUCI to those authorities, shall be subject

to the Commission’s prior approval.

44

Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ

L 72, 17.3.2015, p. 53).

Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 41).

45

79/90

EN

OJ L, 19.6.2024

Article 90

Reporting of breaches and protection of reporting persons

1.

The Authority shall have in place dedicated reporting channels for receiving and handling information provided by

persons reporting actual or potential breaches of:

(a) Regulation (EU) 2024/1624, insofar as the requirements applicable to credit institutions and financial institutions are

concerned;

(b) Regulation (EU) 2023/1113;

(c) Directive (EU) 2024/1640, insofar as the requirements applicable to supervisory authorities, self-regulatory bodies in

the exercise of supervisory functions and FIUs are concerned.

2.

The persons reporting through those channels and the persons concerned shall enjoy the protection of Directive

(EU) 2019/1937, where applicable.

3.

Following the submission of reports pursuant to Article 60(4) of Directive (EU) 2024/1640 by supervisory authorities

in the non-financial sector, the Authority shall be able to request additional information from those supervisory authorities

on how they followed up on the reports received. Those supervisory authorities shall promptly provide the requested

information but shall not disclose information that may lead to the identification of the reporting person.

SECTION 2

Cooperation

Article 91

Cooperation with the European Supervisory Authorities

1.

The Authority shall establish and maintain close cooperation with the ESAs, in particular when developing draft

regulatory or implementing technical standards, guidelines or recommendations within the remit of their respective tasks.

2.

By 27 June 2025, the Authority shall conclude a memorandum of understanding with the ESAs setting out how they

intend to cooperate in the performance of their tasks under Union law.

Article 92

Cooperation with non-AML/CFT authorities

1.

The Authority shall cooperate and exchange information with non-AML/CFT authorities and, on a need-to-know and

confidential basis, with other national authorities and bodies competent for ensuring compliance with Directives

2009/110/EC, 2009/138/EC, 2014/17/EU, 2014/65/EU and (EU) 2015/2366, and with the ESAs, within the boundaries of

their respective mandates.

2.

The Authority shall conclude a memorandum of understanding with the prudential authorities as defined in Article 4

(1), point (40), of Regulation (EU) No 575/2013, the ESAs and the other national authorities competent for ensuring

compliance with Regulation (EU) 2023/1114, setting out in general terms how they will cooperate and exchange

information in the performance of their supervisory tasks under Union law in relation to selected and non-selected obliged

entities.

Where it deems it necessary, the Authority may also conclude a memorandum of understanding with any of the other

authorities or bodies referred to in paragraph 1 setting out in general terms how they will cooperate and exchange

information in the performance of their supervisory tasks under Union law in relation to selected and non-selected obliged

entities.

80/90

EN

OJ L, 19.6.2024

3.

By 27 June 2025, the Authority and the ECB shall conclude a memorandum of understanding setting out the practical

modalities for cooperation and for exchanging information in the performance of their respective tasks under Union law.

4.

The Authority shall ensure effective cooperation and information exchange between all supervisory authorities in the

AML/CFT supervisory system and the relevant authorities and bodies referred to in paragraph 1, including with regard to

access to any information and data in the central AML/CFT database referred to in Article 11.

Article 93

Partnerships for information sharing in the field of AML/CFT

1.

Where relevant for the fulfilment of the tasks referred to in Chapter II, the Authority may set up cross-border

partnerships for information sharing, in accordance with fundamental rights and judicial procedural safeguards, or

participate in partnerships for information sharing established in one or across several Member States with the objective of

supporting the prevention and combating of money laundering, its predicate offences and terrorist financing. Participation

of the Authority in an already existing partnership shall be subject to the agreement of the authorities that have established

such a partnership.

2.

Where the Authority sets up a cross-border partnership for information sharing, it shall ensure that the partnership

complies with the requirements of Article 75(3), (4) and (5) of Regulation (EU) 2024/1624. In addition to obliged entities,

the Authority may invite the competent authorities referred to in Article 2(1), point (44), points (a), (b) and (c), of that

Regulation, as well as Union bodies, offices and agencies which have a role in the prevention and combating of money

laundering, its predicate offences and terrorist financing, to take part in the partnership, where such participation is relevant

for the fulfilment of their tasks and powers. Upon the unanimous consent of the participating members, other third parties

may be invited to participate, on an occasional basis, in meetings of the partnership, where relevant.

Article 94

Cooperation with OLAF, Europol, Eurojust and the EPPO

1.

The Authority may conclude working arrangements with Union institutions, Union decentralised agencies and other

Union bodies, acting in the field of law enforcement and judicial cooperation. Those working arrangements may be of

a strategic, operational or technical nature, and shall in particular aim to facilitate cooperation and the exchange of

information between the parties thereto. The working arrangements shall neither form the basis for allowing the exchange

of personal data nor bind the Union or its Member States.

2.

The Authority shall establish and maintain a close relationship with OLAF, Europol, Eurojust, and the EPPO. To that

end, the Authority shall conclude separate working arrangements with OLAF, Europol, Eurojust and the EPPO setting out

the details of their cooperation. The relationship shall aim in particular to ensure the exchange of operational and strategic

information and trends in relation to ML/TF threats facing the Union.

3.

In order to promote and facilitate smooth cooperation between the Authority and Europol, Eurojust and the EPPO,

the working arrangements with them shall in particular provide for the possibility of posting liaison officers at each other’s

premises, and lay down conditions to that end.

Article 95

Cooperation with third countries and international organisations

1.

In order to achieve the objectives set out in this Regulation, and without prejudice to the respective competences of

the Member States and the Union institutions, the Authority may develop contacts and enter into administrative

arrangements with AML/CFT authorities in third countries that have regulatory, supervisory and FIU-related competences in

81/90

EN

OJ L, 19.6.2024

the field of AML/CFT as well as with international organisations and third-country administrations. Those arrangements

shall not create legal obligations in respect of the Union and its Member States nor shall they prevent Member States and

their competent authorities from concluding bilateral or multilateral arrangements with those third countries.

2.

The Authority may develop model administrative arrangements with a view to establishing consistent, efficient and

effective practices within the Union and to strengthening international coordination and cooperation in the fight against

ML/TF. Supervisory authorities and FIUs shall make every effort to follow such model arrangements.

3.

In cases where the interaction between, on the one hand, several Union supervisory authorities and FIUs with, on the

other hand, third-country authorities, concerns matters falling within the scope of the Authority’s tasks as set out in

Article 5, the Authority shall have a leading role in facilitating such interaction where necessary. That role of the Authority

shall be without prejudice to regular interactions by supervisory authorities and FIUs with third-country authorities.

4.

The Authority shall, within its powers pursuant to this Regulation and to the legislative acts referred to in Article 1(2),

contribute to the united, common, consistent and effective representation of the Union’s interests in international fora,

including by assisting the Commission in its tasks relating to the Commission’s membership of the Financial Action Task

Force and by supporting the work and objectives of the Egmont Group of Financial Intelligence Units.

CHAPTER VI

GENERAL AND FINAL PROVISIONS

Article 96

Access to documents

1.

2.

Regulation (EC) No 1049/2001 shall apply to documents held by the Authority.

Decisions taken by the Authority under Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint

to the European Ombudsman or of an action before the Court of Justice of the European Union, under the conditions laid

down in Articles 228 and 263 TFEU, respectively.

3.

The right of access to documents shall not apply to confidential information comprising:

(a) information or data of the Authority, the financial supervisors or the obliged entities, obtained as a result of carrying

out the tasks and activities referred to in Article 5(2) and Chapter II, Section 3;

(b) any operational data or information related to such operational data of the Authority and of the FIUs that is in the

possession of the Authority as a result of carrying out the tasks and activities referred to in Article 5(5) and Chapter II,

Section 6.

4.

The confidential information referred to in paragraph 3, point (a), that relates to a supervisory procedure may be fully

or partially disclosed to the obliged entities which are parties to that supervisory procedure, subject to the legitimate

interest of other persons in the protection of their business secrets. That access shall not extend to internal documents of

the Authority, financial supervisors, or correspondence between them.

5.

The Executive Board shall adopt practical measures for applying Regulation (EC) No 1049/2001 and the rules

regarding disclosure of information relating to supervisory procedures.

Article 97

General language arrangements

1.

2.

Council Regulation No 1 shall apply to the Authority.

The Executive Board shall decide on the internal language arrangements for the Authority, which shall be consistent

with the language arrangements in direct supervision, adopted pursuant to Article 29.

82/90

EN

OJ L, 19.6.2024

3.

Translation and all other linguistic services required by the Authority, other than interpretation, shall be provided by

the Translation Centre for the Bodies of the European Union, as established by Council Regulation (EC) No 2965/94 (⁴⁶).

Article 98

Data protection

1.

The processing of personal data on the basis of this Regulation for the purposes of ML/TF prevention as referred to in

Article 70 of Directive (EU) 2024/1640 and Article 76 of Regulation (EU) 2024/1624 shall be considered necessary for the

performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority under

Article 5 of Regulation (EU) 2018/1725 and Article 6 of Regulation (EU) 2016/679.

When drafting guidelines and recommendations in accordance with Article 54, having a significant impact on the

protection of personal data, the Authority shall closely cooperate with the European Data Protection Board established by

Regulation (EU) 2016/679 to avoid duplication, inconsistencies and legal uncertainty in the sphere of data protection. After

being authorised by the Commission, the Authority shall also consult the European Data Protection Supervisor established

by Regulation (EU) 2018/1725. The Authority may also invite national data protection authorities as observers in the

process of drafting such guidelines and recommendations.

2.

In accordance with Article 25 of Regulation (EU) 2018/1725, the Authority shall be permitted to adopt internal rules

which restrict the application of the rights of data subjects where such restrictions are necessary to the performance of the

tasks referred in Article 70 of Directive (EU) 2024/1640 and Article 76 of Regulation (EU) 2024/1624.

Article 99

Liability of the Authority

1.

In the case of non-contractual liability, the Authority shall, in accordance with the general principles common to the

laws of Member States, make good any damage caused by it or by its staff in the performance of their duties. The Court of

Justice of the European Union shall have jurisdiction in any dispute over the remedying of such damage.

2.

The personal financial liability and disciplinary liability of the Authority’s staff towards the Authority shall be

governed by the relevant provisions applying to the staff of the Authority.

Article 100

Delegated acts

1.

2.

The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

The power to adopt delegated acts referred to in Articles 27 and 77 shall be conferred on the Commission for an

indeterminate period of time from 27 December 2024.

3.

The delegation of power referred to in Articles 27 and 77 may be revoked at any time by the European Parliament or

by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take

effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified

therein. It shall not affect the validity of any delegated acts already in force.

4.

Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance

with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

46

Council Regulation (EC) No 2965/94 of 28 November 1994 setting up a Translation Centre for bodies of the European Union (OJ

L 314, 7.12.1994, p. 1).

83/90

EN

OJ L, 19.6.2024

5.

As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to

the Council.

6.

A delegated act adopted pursuant to Article 27 shall enter into force only if no objection has been expressed either by

the European Parliament or the Council within a period of three months of notification of that act to the European

Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both

informed the Commission that they will not object. That period shall be extended by three months at the initiative of the

European Parliament or of the Council.

7.

A delegated act adopted pursuant to Article 77 shall enter into force only if no objection has been expressed either by

the European Parliament or the Council within a period of two months of notification of that act to the European

Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both

informed the Commission that they will not object. That period shall be extended by two months at the initiative of the

European Parliament or of the Council.

Article 101

Headquarters Agreement and operating conditions

1.

The necessary arrangements concerning the accommodation to be provided for the Authority in the Member State

where its seat is located and the facilities to be made available by that Member State, as well as the specific rules applicable

in that Member State to the staff of the Authority and members of their families, shall be laid down in a Headquarters

Agreement to be concluded between the Authority and that Member State after obtaining the approval of the Executive

Board.

2.

The Member State where the seat is located shall provide the best possible conditions to ensure the proper functioning

of the Authority, including multilingual, European-oriented schooling and appropriate transport connections.

Article 102

Evaluation and review

1.

By 31 December 2030, and every five years thereafter, the Commission shall draw up a report on the Authority’s

performance in relation to its objectives, mandate, tasks and location, in accordance with the Commission’s guidelines. That

report shall, in particular, address:

(a) the possible need to amend the mandate of the Authority, and the financial implications of any such amendment;

(b) the impact of all supervisory activities and tasks of the Authority on the interests of the Union as a whole, and

specifically the effectiveness of:

(i) supervisory tasks and activities related to direct supervision of selected obliged entities;

(ii) indirect supervision of non-selected obliged entities;

(iii) indirect oversight of other obliged entities;

(c) the impact of the activities related to support and coordination of FIUs, and in particular the coordination of the joint

analyses of cross-border activities and transactions conducted by FIUs;

(d) the impartiality, objectivity and autonomy of the Authority;

(e) the appropriateness of governance arrangements, including the composition of, and voting arrangements in, the

Executive Board and its relationship with the General Board;

(f) the cost effectiveness of the Authority, if appropriate, separately in relation to its distinct sources of funding;

(g) the effectiveness of the recourse mechanism against decisions of the Authority and the independence and accountability

arrangements applicable to the Authority;

84/90

EN

OJ L, 19.6.2024

(h) the effectiveness of cooperation and information sharing arrangements between the Authority and non-AML/CFT

authorities;

(i) the interaction between the Authority and the other Union supervisory authorities and bodies, including the EBA,

Europol, Eurojust, OLAF and the EPPO;

(j) the scope of direct supervision and the criteria and methodology for the assessment and selection of entities for direct

supervision;

(k) the effectiveness of the Authority’s supervisory and sanctioning powers;

(l) the effectiveness of, and convergence in, supervisory practices reached by supervisory authorities and the role of the

Authority therein.

2.

The report referred to in paragraph 1 shall also examine whether:

(a) the resources of the Authority are adequate to carry out its responsibilities;

(b) it is appropriate to confer on the Authority additional supervisory tasks regarding obliged entities in the non-financial

sector, specifying, as appropriate, the types of entities that should be subject to the additional supervisory tasks;

(c) it is appropriate to confer on the Authority additional tasks in the area of support and coordination of the work of FIUs;

(d) it is appropriate to confer on the Authority additional sanctioning powers.

3.

In every second report, the Commission shall conduct a thorough review of the results achieved by the Authority

having regard to its objectives, mandate, tasks and powers, including an assessment of whether the continuation of the

Authority is still justified with regard to these objectives, mandate and tasks.

4.

The report and any accompanying proposals, as appropriate, shall be forwarded to the European Parliament and to

the Council.

Article 103

Amendments to Regulation (EU) No 1093/2010

Regulation (EU) No 1093/2010 is amended as follows:

(1) Article 1 is amended as follows:

(a) in paragraph 2, the second subparagraph is deleted;

(b) in paragraph 5, point (h) is deleted;

(2) Article 4 is amended as follows:

(a) point (1a) is deleted;

(b) in point (2), point (iii) is deleted;

(3) in Article 8(1), point (l) is deleted;

(4) Articles 9a and 9b are deleted;

(5) in Article 17, paragraph 6 is replaced by the following:

‘6.

Without prejudice to the powers of the Commission pursuant to Article 258 TFEU, where a competent authority

does not comply with the formal opinion referred to in paragraph 4 of this Article within the period specified therein,

and where it is necessary to remedy, in a timely manner, such non-compliance in order to maintain or restore neutral

(EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620, 19.6.2024, ELI: http://data.

85/90

EN

OJ L, 19.6.2024

conditions of competition in the market or ensure the orderly functioning and integrity of the financial system, the

Authority may, where the relevant requirements of the legislative acts referred to in Article 1(2) of this Regulation are

directly applicable to financial institutions, adopt an individual decision addressed to a financial institution requiring it

to take all necessary action to comply with its obligations under Union law, including the cessation of any practice.

The decision of the Authority shall be in conformity with the formal opinion issued by the Commission pursuant to

paragraph 4.’;

(6) in Article 19, paragraph 4 is replaced by the following:

‘4.

Without prejudice to the powers of the Commission pursuant to Article 258 TFEU, where a competent authority

does not comply with the decision of the Authority, and thereby fails to ensure that a financial institution complies with

requirements directly applicable to it by virtue of the legislative acts referred to in Article 1(2) of this Regulation, the

Authority may adopt an individual decision addressed to that financial institution requiring it to take all necessary

action to comply with its obligations under Union law, including the cessation of any practice.’;

(7) in Article 33(1), the second subparagraph is deleted;

(8) in Article 40(7), the first subparagraph is replaced by the following:

‘The Board of Supervisors may decide to admit observers. In particular, the Board of Supervisors shall admit

a representative of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism established by

Regulation (EU) 2024/1620 of the European Parliament and of the Council (*) where matters that fall under its mandate

are discussed or decided upon.

(*) Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the

Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations

europa.eu/eli/reg/2024/1620/oj).’;

(9) in Article 81, paragraph 2b is deleted.

Article 104

Amendments to Regulation (EU) No 1094/2010

Regulation (EU) No 1094/2010 is amended as follows:

(1) in Article 1(2), the second subparagraph is deleted;

(2) in Article 40(5), the first subparagraph is replaced by the following:

‘The Board of Supervisors may decide to admit observers. In particular, the Board of Supervisors shall admit

a representative of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism established by

Regulation (EU) 2024/1620 of the European Parliament and of the Council (*) where matters that fall under its mandate

are discussed or decided upon.

(*) Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the

Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations

(EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620, 19.6.2024, ELI: http://data.

europa.eu/eli/reg/2024/1620/oj).’;

(3) in Article 54, paragraph 2a is deleted.

86/90

No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620, 19.6.2024, ELI: http://data.

EN

OJ L, 19.6.2024

Article 105

Amendments to Regulation (EU) No 1095/2010

Regulation (EU) No 1095/2010 is amended as follows:

(1) in Article 1(2), the second subparagraph is deleted;

(2) in Article 40(6), the first subparagraph is replaced by the following:

‘The Board of Supervisors may decide to admit observers. In particular, the Board of Supervisors shall admit

a representative of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism established by

Regulation (EU) 2024/1620 of the European Parliament and of the Council (*) where matters that fall under its mandate

are discussed or decided upon.

(*) Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the

Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU)

europa.eu/eli/reg/2024/1620/oj)’;

(3) in Article 54, paragraph 2a is deleted.

Article 106

Transitional arrangements

1.

Until 27 June 2028, Article 11 shall only apply to financial supervisors, credit institutions and financial institutions.

However, supervisory authorities in the non-financial sector may on a voluntary basis already comply with the

requirements of that Article before that date.

For the purposes of establishing and maintaining the database referred to in Article 11, the Authority shall conclude

a bilateral agreement with the EBA on access to, as well as the financing and the joint management of, the AML/CFT

database established in accordance with Article 9a of Regulation (EU) No 1093/2010. The arrangement shall be established

for a mutually agreed period, which may be extended until no later than 30 June 2027. During that period, the EBA shall at

least be able to continue receiving information, analysing it and making it available in accordance with Article 9a(2) of

Regulation (EU) No 1093/2010 or in accordance with this Regulation, on behalf of the Authority and based on the

financing made available by the Authority for that purpose.

2.

By way of derogation from Article 13(2), where, during the first selection process, more than 40 obliged entities

would qualify for direct supervision pursuant to Article 13(1), the Authority shall carry out the tasks listed in Article 5(2) in

respect of the 40 obliged entities or groups operating in the highest number of Member States whether through

establishments or under the freedom to provide services.

Where the application of the criterion referred to in the first subparagraph of this paragraph yields more than 40 obliged

entities or groups, the Authority shall select, from the obliged entities or groups that would be selected in accordance with

the first subparagraph of this paragraph and that operate in the smallest number of Member States, those which have the

highest ratio of the volume of transactions with third countries to the total volume of transactions measured in the last

financial year.

3.

By way of derogation from Article 13(3), the additional selection process set out therein shall not apply during the

first selection process.

4.

By way of derogation from Article 48(7), the participation of FIUs in peer reviews shall be voluntary during the first

two peer review processes.

Article 107

Commencement of the Authority’s activities

The Commission shall be responsible for the establishment and initial operation of the Authority until 31 December 2025.

For that purpose:

87/90

EN

OJ L, 19.6.2024

(a) the Commission may designate a Commission official to act as interim Executive Director and exercise the duties

assigned to the Executive Director until the Authority has the capacity to implement its own budget and the Executive

Director has taken up his or her duties following his or her appointment by the Executive Board in accordance with

Article 70;

(b) by way of derogation from Article 62(1), until the Chair of the Authority has been appointed, the interim Executive

Director may convene and chair the meetings of the General Board, without the right to vote;

(c) by way of derogation from Article 64(4), point (g), until the adoption of a decision as referred to in Article 70, the

interim Executive Director shall exercise the appointing authority powers;

(d) the Commission may offer assistance to the Authority, in particular by seconding Commission officials to carry out the

activities of the Authority under the responsibility of the interim Executive Director or the Executive Director;

(e) the interim Executive Director may authorise all payments covered by appropriations entered in the Authority’s budget

and may conclude contracts, including staff contracts, following the adoption of the Authority’s establishment plan.

Article 108

Entry into force and application

This Regulation shall enter into force on the seventh day following that of its publication in the Official Journal of the

European Union.

It shall apply from 1 July 2025.

However, Articles 1, 4, 49, 53, 54, 55, 57 to 66, 68 to 71, 100, 101 and 107 shall apply from 26 June 2024, and

Article 103 shall apply from 31 December 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 31 May 2024.

For the European Parliament

The President

For the Council

The President

H. LAHBIB

R. METSOLA

88/90

EN

OJ L, 19.6.2024

ANNEX I

List of the coefficients linked to aggravating and mitigating factors for the application of Article 22

The following coefficients shall be applicable in a cumulative way to the basic amounts referred to in Article 22(4) on the

basis of each of the following aggravating and mitigating factors:

I. Adjustment coefficients linked to aggravating factors:

1. If the breach has been committed repeatedly, for every time it has been repeated, an additional coefficient of 1,1 shall

apply.

2. If the breach has been committed for more than six months, a coefficient of 1,5 shall apply.

3. If the infringement has revealed systemic weaknesses in the organisation of the selected obliged entity, in particular in

its procedures, management systems or internal controls, a coefficient of 2,2 shall apply.

4. If the infringement has been committed intentionally, a coefficient of 3 shall apply.

5. If no remedial action has been taken since the breach has been identified, a coefficient of 1,7 shall apply.

6. If the selected obliged entity’s senior management has not cooperated with the Authority in carrying out its

investigations, a coefficient of 1,5 shall apply.

II. Adjustment coefficients linked to mitigating factors:

1. If the selected obliged entity’s senior management can demonstrate that it has taken all the necessary measures to

prevent the breach, a coefficient of 0,7 shall apply.

2. If the selected obliged entity has quickly and effectively brought the complete breach to Authority’s attention,

a coefficient of 0,4 shall apply.

3. If the selected obliged entity has voluntarily taken measures to ensure that similar breaches cannot be committed

anymore in the future, a coefficient of 0,6 shall apply.

89/90

EN

OJ L, 19.6.2024

ANNEX II

List of directly applicable requirements referred to in Article 22(3)

1. Requirements related to customer due diligence referred to in Article 22(3), points (a) and (b), of this Regulation shall be

those in Articles 19, 20, 21, 22, 23, 25, 26, 33, 34, 36, 39, 42, 44, 46 and 47 of Regulation (EU) 2024/1624.

2. Requirements related to group-wide policies, procedures and controls referred to in Article 22(3), point (a), of this

Regulation shall be those in Articles 16 and 17 of Regulation (EU) 2024/1624.

3. Requirements related to reporting obligations referred to in Article 22(3), points (a) and (b), of this Regulation shall be

those in Articles 69, 70 and 71 of Regulation (EU) 2024/1624 and Articles 9, 13 and 18 of Regulation (EU) 2023/1113.

4. Requirements related to internal policies, procedures and controls referred to in Article 22(3), point (b), of this

Regulation shall be those in Articles 9, 10, 11, 18, 48 and 49 of Regulation (EU) 2024/1624 and Article 23 of

Regulation (EU) 2023/1113.

5. Other requirements referred to in Article 22(3), points (c) and (d), of this Regulation shall be those in Articles 73, 77, 78

and 79 of Regulation (EU) 2024/1624 and Articles 7, 8, 10, 11, 12, 14, 16, 17, 19, 21, 24 and 26 of Regulation

(EU) 2023/1113.

90/90