AMLR: Centralised mechanisms and information-sharing – risk assessment, compliance and organisation

View as Markdown
8 mins read • Legal Writer • ANTI–MONEY LAUNDERING • 27 January 2026
  1. AMLR Article 10 – Enterprise-wide risk assessment
  2. AMLR Article 11 – Compliance functions, governance and compliance
  3. AMLR Article 12 – Awareness and training obligations
  4. From formalities to governance: what AMLR 10–12 require in practice

The fourth post in Morling Consulting’s blog series on the EU’s new AMLR covers Articles 10–12. At Morling Consulting, our AML lawyers provide specialist support with the anti-money laundering framework to companies and organisations across Europe, helping to interpret, implement and operationalise the new rules in practice, including support with the enterprise-wide risk assessment, the organisation of compliance functions, and the design of internal governance and control structures. The first post addressed the key definitions in the AML framework, which provide the essential starting point for understanding the Regulation’s system, scope and use of terminology. Readers new to the topic are encouraged to begin with post one.

This post analyses Articles 10–12 of the AMLR, which regulate how obliged entities must organise their internal work and the centralised mechanisms. This is to be achieved through the enterprise-wide risk assessment, clear functions for compliance, and measures to ensure awareness and competence among staff and other relevant actors. A recurring focus is how centralised AML mechanisms and structured information-sharing can be used to strengthen governance, transparency and compliance within the organisation. Together, these Articles form a core part of the AMLR’s requirements on governance, internal control and allocation of responsibilities, closely linked to the development of centralised mechanisms and information-sharing within the AMLR.

AMLR Article 10 – Enterprise-wide risk assessment

Article 10 of the Regulation requires each obliged entity to conduct an enterprise-wide risk assessment. This obliges entities to identify and assess risks within the business relating to money laundering and terrorist financing, as well as the risks that financial sanctions are circumvented or not implemented. The risk assessment must be proportionate to the nature, size, complexity and risk profile of the business, yet sufficiently comprehensive to identify these risks.

The provision expressly specifies the factors and information to be considered. These include the risk variables and risk factors listed in the AMLR annexes, but also the results of risk assessments conducted at Union and national level, and sector-specific risk assessments where available. Relevant information from international standard-setters, competent authorities and the entity’s own customer base must be integrated into the analysis.

A particularly important component of Article 10 is the requirement to update the risk assessment when the business changes. Before new products, services, business practices, distribution channels or technological solutions are launched—or before existing products and services are offered to new customer segments or in new geographic areas—the associated risks must be identified and assessed. In practice, the risk assessment must function as an active steering mechanism within ongoing business operations and an integral part of an aml risk management framework and risk based approach aml.

Article 10 also places clear requirements on documentation and ongoing maintenance. The risk assessment must be documented, kept current and reviewed regularly by the obliged entity. Reviews should occur not only periodically but also when internal or external events materially affect the risk picture—for example, changes in customer composition, transaction patterns, geographic exposure or products. Where required by supervisory authorities, the risk assessment must be provided and made available to them.

Of particular significance is that the risk assessment must be prepared by the person responsible for compliance and subsequently approved by the management body in its management function. If a supervisory function exists within the governance structure, it must also be informed. This creates a clear link between the risk assessment, corporate governance and top-level responsibility allocation. The AMLR thus underscores that responsibility for risk management and compliance ultimately rests with the leadership and forms part of sound governance and compliance.

Scope for supervisory authorities to exempt certain sectors from the requirement to maintain individual documented risk assessments is limited. Exemptions do not extend to credit institutions, financial institutions or providers of crowdfunding services. Furthermore, exemptions presuppose that the sector’s risks are obvious and well known. The main rule remains that each obliged entity performs its own analysis in line with the risk-based approach to aml risk management and money laundering prevention.

AMLR Article 11 – Compliance functions, governance and compliance

Article 11 regulates how obliged entities must organise their compliance functions.

Obliged entities must appoint a Chief Compliance Officer (CCO), who must be a member of the management body in its managerial function. The CCO is responsible for ensuring compliance with the AMLR, Regulation (EU) 2023/1113 and all binding acts issued by supervisory authorities. This includes responsibility for ensuring that the entity’s internal policies, procedures and controls are aligned with the business’s risk exposure and that sufficient human and material resources are allocated. The remit also covers receiving reports of material deficiencies in policies, procedures and controls. The role is therefore strategic and closely connected to the leadership’s overarching responsibility for governance and internal control. Where the management body has collective responsibility, the CCO must support and advise the body and prepare decisions under Article 11.

The management body must also appoint a Compliance Officer. The Compliance Officer must hold a sufficiently senior position and be responsible for the day-to-day work with AML requirements, including policies, procedures and controls to counter money laundering and terrorist financing. The role also serves as the contact point with competent authorities and is responsible for reporting suspicious transactions to the financial intelligence unit. The AMLR places weight on this function not merely existing on paper but having real powers and access to necessary information as part of effective aml internal controls.

If the management or beneficial owners of an obliged entity are subject to Article 6 of Directive (EU) 2024/1640 on checks of management and beneficial owners in certain obliged entities, or other Union acts, appropriate checks must be performed to verify that Compliance Officers meet required standards. Within groups, an obliged entity may appoint a Compliance Officer at another group entity, provided the obliged entity is low risk and not unduly large.

Where a Compliance Officer is to leave the role, this may occur only after prior notification to the management body in its managerial function. The obliged entity must in turn inform the supervisory authority.

Article 11 contains detailed requirements on resourcing so that responsibilities can be discharged effectively. Obliged entities must ensure that compliance functions are provided with adequate human and technical resources relative to the business’s size and risks. Furthermore, Compliance Officers must be protected against reprisals, discrimination and other unfair treatment. Decisions taken by the Compliance Officer must not be undermined or unduly influenced by commercial interests.

Direct reporting lines are of particular importance. The Compliance Officer and the person responsible for the audit function must be able to report independently—for example, concerns and risk warnings—directly to the management body in its managerial function and, where applicable, to the management body in its supervisory function. This is a key component of the AMLR’s internal information flows and strengthens centralised mechanisms and information-sharing within the organisation.

The CCO must also report to the management body on an ongoing basis on the implementation of internal policies and controls. At least annually, a consolidated report on the implementation of internal policies must be submitted, based on input from the Compliance Officer. Any deficiencies identified must be remedied without delay by the CCO.

There are limited circumstances where the duties of the CCO and the Compliance Officer may be discharged by the same individual. Any such decision must consider the nature, risk, complexity and size of the obliged entity.

AMLR Article 12 – Awareness and training obligations

Under Article 12 AMLR, obliged entities must ensure that employees, agents and distributors are aware of the requirements in the AMLR, Regulation (EU) 2023/1113, binding acts issued by supervisory authorities, the enterprise-wide risk assessment, and the internal policies adopted by the obliged entity. This also includes understanding how personal data may be processed within the AML framework. Article 12 thereby places emphasis on the human factor in AML work.

The training required under the Article must be suitable and proportionate to the business and its risks of being misused for money laundering or terrorist financing. The purpose is to equip relevant individuals to identify transactions potentially linked to money laundering or terrorist financing and to know how to act in such situations. Training must also be documented, underscoring that competence development is an integral part of internal control and effective aml internal controls.

In a broader perspective, these requirements help strengthen centralised mechanisms and information-sharing at the individual level by ensuring that relevant information is identified, understood and escalated within the organisation in a structured manner as part of robust aml risk management.

From formalities to governance: what AMLR 10–12 require in practice

Articles 10–12 AMLR clearly illustrate how the EU’s new framework shifts focus from formal compliance to effective risk management, governance and information flows. Through requirements for enterprise-wide risk assessments, clear and protected compliance functions, and systematic training, the AMLR creates the conditions for a more coherent and effective AML system and a practical aml risk management framework.

Within this structure, centralised mechanisms and information-sharing play a decisive role—both within the individual organisation and in interactions between obliged entities, supervisory authorities and at EU level. For obliged entities, this means increased demands on analysis, documentation and governance and compliance, but also the opportunity to build more robust and sustainable systems to manage risks relating to money laundering, terrorist financing and the implementation of financial sanctions as part of comprehensive money laundering prevention.

Want to continue right away? Here’s the next part: AMLR Articles 13–15: employee integrity, whistleblowing and internal control.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more