Outsourcing under Article 18 of the AMLR

We continue with the seventh instalment in Morling Consulting’s blog series on the EU AMLR. The fifth post addressed internal control and governance linked to the AML risk framework, focusing on how effective control structures and allocation of responsibilities underpin sound AML compliance. For readers wishing to explore how governance, internal control and risk management interact under the AMLR, we recommend that earlier article.

Against this background, Morling Consulting supports firms in the finance and advisory sectors with AML expertise for the financial and advisory sector, providing legally qualified support on governance, internal control and AMLR compliance. This instalment focuses on the outsourcing of AML-related tasks, the applicable legal parameters, and the link between outsourcing, AML policies and internal control.

AMLR Article 18 – Outsourcing within an outsourcing governance framework

The AMLR recognises that obliged entities in practice often rely on external service providers to perform certain AML-related tasks. Article 18 therefore confirms that outsourcing is permitted, but only under strictly regulated conditions. Obliged entities may outsource tasks arising under the Regulation to service providers. However, the obliged entity must notify the supervisory authority of the outsourcing in advance, i.e. before the provider performs the tasks.

Under Article 18(2), the service provider is to be regarded as part of the obliged entity when performing outsourced tasks. This also applies where, on the obliged entity’s behalf, the provider consults central registers to carry out customer due diligence measures. “Central registers” refers to the registers set out in Article 10 of Directive (EU) 2024/1640, namely central registers of beneficial ownership.

The fundamental principle is that outsourcing must never entail a transfer of responsibility. The obliged entity remains fully responsible for AML compliance and for all actions or omissions linked to the outsourced tasks performed by an external party.

At the same time, there are exacting transparency requirements on how the obliged entity oversees the provider’s operations. For each outsourced task, the obliged entity must be able to demonstrate to the supervisory authority that it understands how the provider performs the outsourced task. This creates a clear link between risk assessment, AML policies and the decision to outsource, and should be embedded in the outsourcing governance framework.

Where an obliged entity outsources tasks to an external party, the assignment must not be carried out in a way that materially undermines the entity’s procedures and guidelines for meeting the requirements of the Regulation, of Regulation (EU) 2023/1113, or of the controls established to test the entity’s policies and procedures.

Article 18(3) contains an exhaustive list of tasks that must not be outsourced. These are directly connected to the obliged entity’s core responsibilities and strategic judgements. They include, among other things, proposing and approving the overall risk assessment, approving internal policies, procedures and controls, and deciding a customer’s risk profile. Decisions to enter into business relationships or execute occasional transactions, as well as certain reports of suspicious activity to the Swedish Financial Intelligence Unit (Finanspolisen, FIU), are expressly excluded from outsourcing.

Before outsourcing any task, the obliged entity must ensure that the service provider is sufficiently qualified for the assignment. In addition, the obliged entity must ensure that the provider, and any sub-contractors, apply the obliged entity’s AML policies and guidelines.

The obliged entity must put in place a written agreement with the service provider setting out the terms for task execution. The obliged entity must then regularly verify that the provider is in fact meeting these requirements. The frequency of these checks is determined by the criticality of the outsourced tasks. This should be addressed through an appropriate outsourcing risk assessment.

Article 18(5) emphasises that obliged entities must ensure that outsourcing does not materially impair the ability of supervisory authorities to exercise effective supervision. This ensures that the supervisory authority can always obtain visibility of how AML-related tasks are performed within obliged entities, even where they are executed by external actors.

Particularly strict rules apply to outsourcing to service providers in third countries identified as high risk jurisdictions. As a rule, obliged entities must not outsource tasks covered by the Regulation’s requirements to providers established or resident in high risk jurisdictions, although there are narrow exceptions.

Those exceptions apply only where all the conditions set out in Article 18(6) are met. Specifically:

• the obliged entity outsources tasks only to a service provider within the same group,
• the group applies policies and procedures to combat money laundering and terrorist financing, as well as customer due diligence and record-keeping rules, aligned with the Regulation or with equivalent third-country provisions, and
• implementation of those group-wide policies and procedures is overseen at group level by the supervisory authority in the home Member State.

Article 18 also has implications for the internal AML function. Even where tasks are outsourced, the AML function must retain control over risk assessment, policy development and strategic decisions. In practice, the obliged entity must have sufficient competence to evaluate the quality of work performed externally and to operate an effective outsourcing governance framework.

From outsourcing to a practical outsourcing governance framework

Article 18 of the AMLR makes clear that outsourcing can be an effective tool for obliged entities – but only where governance, control and allocation of responsibilities are clearly defined. Outsourcing is not a means of diluting accountability; it is a way of organising how tasks are performed within the same line of responsibility.

In practice, each outsourcing decision must be explicitly linked to the obliged entity’s overarching AML strategy, risk assessment and internal control environment. Before tasks are placed with an external provider, the business should ensure that:

• the selection of the provider and any sub-contractors is subject to structured due diligence and ongoing monitoring,
• the outsourcing agreement sets out concrete requirements for compliance, reporting, documentation and transparency,
• the internal AML function has the expertise and mandate to review and challenge the provider’s work, and
• the supervisory authority’s need for visibility can be met even when tasks are performed by external actors, including where outsourcing occurs within groups or to third countries.

To learn more about our services and how we can support your AML work, visit morlings.se.

The series continues with the following topic: AMLR Articles 19–20: customer due diligence, risk assessment and ongoing monitoring