Group-wide risk management under amlr and operations in third countries

Welcome to the sixth part of Morling Consulting’s blog series on the EU’s amlr. The previous post addressed employee privacy, whistleblowing and internal control, focusing on organisational requirements for compliance with the anti-money laundering framework. Readers seeking a deeper dive into organisational requirements are encouraged to review that post. In this part, the focus shifts from the individual obliged entity to group structures and cross-border activity, where the position of third countries with lower standards for countering money laundering and terrorist financing becomes especially central. Morling Consulting supports obliged entities with legal advisory in AML work, including interpretation of the amlr group rules and the design of group-wide risk assessments, controls, guidelines and policies.

Articles 16 and 17 amlr – the core of group-wide measures

Articles 16 and 17 of the amlr form the core of the Regulation’s framework for group-wide measures against money laundering and terrorist financing. These provisions address how parent undertakings must ensure consistent and effective risk management throughout the group, including branches and any subsidiary in other Member States and in third countries. They make clear that the amlr risk-based approach cannot be confined to national or organisational boundaries; it must apply consistently across the entire group, irrespective of branch, products or distribution channels.

Article 16 builds on the enterprise-wide risk assessment covered in the earlier post on risk assessment, compliance and organisation. Article 16 introduces the requirement for a group-wide risk assessment. This must be carried out by the parent undertaking and take into account the general risk assessments performed by all branches and subsidiaries within the group. The parent undertaking is responsible for ensuring that all group branches and subsidiaries in the Member States meet requirements relating to internal procedures, staffing and risk assessment. For groups with their head office in the Union, activities in third countries are also within scope.

The risk assessment must underpin group-wide guidelines, procedures and controls, including rules for data protection and information exchange within the group. These measures should ensure that all staff, regardless of location, are aware of and act in accordance with the amlr. Information sharing is a precondition for effective risk management, but must occur within applicable data protection rules and with adequate safeguards for confidentiality and traceability. This is particularly relevant where information concerns suspicious transactions or customers linked to high-risk countries, where mishandling may create further risk. Article 16 also clarifies that group guidelines, policies and risk assessments must cover the same content as required by Articles 9 and 10 of the amlr, namely internal governance, risk management and the enterprise-wide risk assessment.

The group-wide risk assessment is not a parallel or stand-alone analysis, but a unifying framework. The parent undertaking must analyse how specific risk factors—such as customer profiles, products, distribution channels and geographic exposure—interact at group level. This is especially important when the group operates in multiple jurisdictions with differing risk profiles and minimum requirements.

If the group is established in several Member States, and, where applicable, in third countries where the head office is located in the Union, the parent undertaking must take into account information published by competent authorities in all relevant jurisdictions. The group’s risk analysis cannot be limited to internal assessments; it must integrate national and international risk pictures. A central aspect is the management of geographic risk, particularly in relation to countries with lower standards for countering money laundering and terrorist financing. While the concept of high-risk countries is elaborated elsewhere in the amlr, Article 16 expects parent undertakings to consider information published by authorities in all Member States and in third countries.

Article 16(2) introduces an explicit requirement for group-level compliance functions. There must be a head of compliance at group level and, where justified, a compliance officer. Decisions on the scope of these functions must be documented, reinforcing transparency and traceability in governance. The group head must report regularly to the parent undertaking’s management body, and at least annually provide a consolidated report on the implementation of group-wide guidelines, procedures and controls, and take measures to remedy any deficiencies. This creates a clear link between risk assessment, operational compliance and strategic accountability at the highest level, including timely remediation.

One of the most far-reaching aspects of Article 16 is the requirement for information exchange within the group. Controls, procedures and guidelines for information sharing must require obliged entities to exchange information within the group. The information in question must be relevant to customer due diligence (kyc) and risk management in countering money laundering and terrorist financing. Information covered by Article 16 includes customer identity, beneficial ownership, the purpose and nature of the business relationship, as well as suspicions reported to the Swedish Financial Intelligence Unit (Finanspolisen, FIU). Such internal transparency supports earlier detection of patterns across the branch network.

This information exchange is vital for identifying and managing specific risk factors that can arise in complex group structures. For example, a customer relationship maintained by a subsidiary in a third country may appear lower risk locally but may have a different significance when assessed alongside other group relationships. Structured information exchange enables early identification and analysis of such patterns while respecting confidentiality.

At the same time, the amlr requires the parent undertaking to implement guidelines and controls so that information is subject to adequate safeguards for confidentiality and data protection. Groups must therefore develop technical and organisational solutions that enable information sharing without compromising legal certainty or integrity, including appropriate access controls and audit trails.

Article 17 amlr – branches and subsidiaries in third countries

Article 17 focuses on branches and subsidiaries in third countries. If the minimum requirements in a third country are less stringent than those of the amlr, the parent undertaking must ensure that operations still comply with the standards set by the amlr. The provision also covers applicable requirements relating to data protection or similar rules, ensuring consistent policies across the group.

If third-country law does not permit full compliance with the Regulation, the parent undertaking must take additional measures to ensure that branches and subsidiaries in that third country manage the risk of money laundering and terrorist financing. These measures must be reported to the home Member State supervisory authority. If the measures are deemed insufficient, the supervisory authorities may require additional supervisory actions. These may include far-reaching interventions—such as prohibiting new business relationships, terminating existing relationships, or winding down operations in the third country—where necessary to address deficiencies.

The provision has particular practical importance when operations are conducted in high-risk countries, where legal, institutional or political conditions may hinder compliance with the amlr. Article 17 makes clear that such challenges do not absolve the group of responsibility; they may instead justify stricter requirements, enhanced controls and intensified supervision, including targeted remediation plans and reinforced staffing.

Technical standards and future developments under amla

Both Articles 16 and 17 empower amla to develop regulatory technical standards, to be adopted by the Commission. These standards will set minimum requirements for group-wide guidelines, information exchange and additional measures in third countries. For obliged entities, the framework will be further specified over time, requiring continuous updates to group risk management, kyc processes and internal controls. Through these standards, the conditions for more consistent supervision of groups with cross-border activity within the Union are strengthened.

Practical implications for groups – applying the amlr

Taken together, Articles 16 and 17 of the amlr show that effective prevention of money laundering and terrorist financing requires a group perspective that accounts for all jurisdictions in which the group operates. The group-wide risk assessment is a natural extension of the enterprise-wide assessment and demands integrated governance, robust controls, structured information exchange, and clear accountability at management level. For groups with cross-border operations, this also entails increased demands on analysis and control, including policies tailored to geographic risk and demonstrable traceability.

Morling Consulting advises obliged entities on implementing group-wide risk assessments, designing guidelines and policies, and calibrating controls aligned with the amlr’s risk-based approach. We support with interpreting the amlr and forthcoming standards under amla, strengthening governance, remediation programmes and sustainable risk management across Europe.

Next component of the AMLR is covered here: Outsourcing under Article 18 of the AMLR