Ongoing monitoring and supervisory measures in high-risk relationships under AMLR

We continue with Part 15 of our blog series on the EU’s new Anti-Money Laundering Regulation (AMLR). This post covers Articles 38 and 39, which regulate specific measures linked to individual counterparty institutions in third countries and the prohibition on correspondent relationships with shell banks. These provisions mark a shift from general KYC requirements to directly interventionist obligations.

For obliged entities, it is always essential to carry out ongoing monitoring and to keep customer information up to date, as these are core, continuous requirements within customer due diligence.

For those who wish to explore these foundational obligations in relation to third countries in more depth, we recommend Part 11 of the blog series, which addresses ongoing monitoring as a continuous KYC requirement in light of geographic risks.

In this part, the requirements are placed in a more supervision-adjacent and interventionist context, where access to qualified AML legal support for organisations with high regulatory demands is particularly important to ensure correct compliance.

Ongoing monitoring and keeping customer information up to date as a core principle under AMLR

The requirements for ongoing monitoring and keeping customer information up to date run through AMLR and are a prerequisite for obliged entities to identify evolving risk profiles, anomalous behaviours and new threats to the financial system. Articles 38 and 39 must be understood against this backdrop. They target situations where the risks are particularly elevated, either due to deficiencies at a specific counterparty in a third country or due to structures that are, in themselves, considered incompatible with an effective system for combating money laundering and terrorist financing. The provisions therefore form an important complement to the general customer due diligence rules and enhanced measures set out in earlier articles.

Article 38 AMLR – Specific measures for individual counterparty institutions in third countries

Article 38 introduces a procedure for how credit institutions and financial institutions must act in relation to counterparty institutions in third countries with which they maintain a correspondent relationship under Article 36 or 37, and with regard to recommendations issued by AMLA under Article 38(2). In such cases, credit institutions and financial institutions must apply the measures set out in Article 38(6).

A central component of Article 38 is AMLA’s power to issue recommendations addressed to credit institutions and financial institutions. Such a recommendation must be issued where there are concerns that a counterparty institution in a third country:

• has committed serious, repeated or systematic breaches of AML and CFT rules,
• shows significant shortcomings in its internal policies, procedures and controls that are likely to lead to serious, repeated or systematic breaches of AML and CFT rules, or
• has implemented policies, procedures and controls that are not proportionate to the risks of money laundering, predicate offences to money laundering and terrorist financing to which its business is exposed.

A recommendation must be issued where all conditions under Article 38(3) are met. These include that a financial supervisory authority, including AMLA, considers that a counterparty institution in a third country falls within one of the situations under Article 38(2) and may affect the risk exposure of the correspondent relationship. It is then further conditional that, following an assessment, there is consensus among the Union’s financial supervisory authorities that the counterparty institution in the third country is in one of the situations under Article 38(2) and that this may affect the correspondent relationship’s risk exposure.

AMLA’s recommendation also requires AMLA to consult the third country’s competent supervisory authority for the counterparty institution. At AMLA’s request, that authority must provide its own and the counterparty institution’s views on whether the counterparty’s internal procedures and customer due diligence measures are sufficient and which measures must be taken going forward. AMLA must then proceed with its recommendation where no response is provided or where the response cannot demonstrate that the counterparty institution can implement the measures required to mitigate the risks. If the counterparty institution no longer meets the conditions set out under Article 38(3), AMLA must withdraw its recommendation.

In relation to counterparty institutions in third countries, financial institutions and credit institutions are obliged to:

• refrain from entering into new business relationships with the counterparty institution unless sufficient risk-mitigating measures have been applied,
• for ongoing business relationships with the counterparty institution, review and update the information on the counterparty institution in accordance with Articles 36 or 37,
• terminate the business relationship where the risks cannot be managed adequately, and
• inform the counterparty institution of the assessments, conclusions and measures taken.

This is where the requirement for ongoing monitoring and keeping customer information up to date becomes particularly pronounced. The institutions’ duty to continuously reassess their risk assessment means that existing relationships cannot be left without active follow-up, even where they were previously assessed as sufficient. Where AMLA has withdrawn a recommendation under Article 38(5), financial institutions and credit institutions must review their assessment of whether the counterparty institution meets any of the conditions established under Article 38(3).

Finally, Article 38(7) sets out an explicit documentation requirement for all decisions taken by credit institutions and financial institutions under the article. This is crucial from both a supervisory and accountability perspective and links to the requirements on governance, internal control and a well-functioning AML programme. The documentation must enable ex post review and demonstrate that the institution has acted on the basis of an independent, well-substantiated and proportionate risk assessment.

Article 39 AMLR – Prohibition on correspondent relationships with shell banks

Article 39 contains a more categorical requirement by imposing an explicit prohibition on correspondent relationships with shell banks. Credit institutions and financial institutions may neither enter into nor maintain correspondent relationships with shell banks. In addition, they must take appropriate measures to ensure that they do not enter into or maintain correspondent relationships with such institutions through counterparties that allow their accounts to be used by shell banks. Here too, ongoing monitoring and keeping customer information up to date is decisive to identify early structures that run counter to the purpose of the regime.

Article 39(2) extends the prohibition to cover crypto-asset service providers. These must ensure that their accounts are not used by shell banks for the provision of crypto-asset services. Crypto-asset service providers must therefore have internal policies, procedures and controls to detect attempts to use and provide unregulated crypto-asset services.

From rules to implementation under AMLR – implications for obliged entities

Articles 38 and 39 clearly show how AMLR moves from general principles to concrete supervisory measures and prohibitions. For obliged entities, this means that requirements on governance, documentation, and ongoing monitoring and keeping customer information up to date are tightened further in international and cross-border relationships. A well-considered and practically implemented AML programme therefore becomes not only a tool for compliance, but a central component of the organisation’s risk management and strategic decision-making.

At Morling Consulting, we support operators across Europe with deep expertise in AMLR, supervisory matters and the design of effective AML programmes, helping organisations achieve secure, proportionate and sustainable compliance.