Reliance on Third Parties and Sector-Specific Customer Due Diligence under Articles 47–50 AMLR

In today’s instalment of our AMLR blog series, we analyse Articles 47–50, which contain specific provisions on customer due diligence measures and the regulatory framework for the use of customer due diligence measures carried out by other obliged entities. One of the most central components of AMLR is precisely customer due diligence measures, and it is for obliged entities’ risk assessments to determine when enhanced measures need to be applied. We addressed enhanced customer due diligence measures in an earlier part of our AMLR blog series, and readers wishing to explore in greater depth how the framework addresses customer due diligence measures in higher-risk business relationships are referred to our post on KYC requirements for high-risk business relationships.

The framework set out in Articles 47–50 covers Sections 5 and 6 of AMLR and raises key issues relating to the allocation of responsibility, oversight and governance within the risk-based AML system. For businesses seeking to ensure that their internal policies, procedures and controls are consistent with AMLR requirements, an external review of your AML programme can be a valuable tool. Such a review makes it possible to assess whether governance, procedures and contractual arrangements meet the Regulation’s requirements for effective risk management and documented compliance.

Article 47 – Specific Provisions for the Life Insurance and Other Investment-Related Insurance Sectors

Article 47 appears in Section 5 and contains sector-specific provisions for life insurance business and other investment-related insurance business. The provision establishes that obliged entities must apply specific customer due diligence measures to beneficiaries of life insurance policies and other investment-related insurance policies, in addition to the customer due diligence measures required in relation to the customer and the beneficial owner. Once these beneficiaries have been identified or designated, the following measures must be applied:

• Where beneficiaries have been identified as specifically named individuals or legal arrangements, the name of the individual or legal arrangement must be documented.
• Where, by contrast, beneficiaries have been designated or identified by characteristics, class or other means, sufficient information about the beneficiary must be obtained so that the beneficiary’s identity can be established and determined at the time of payout.

The key feature of Article 47 is that verification of the beneficiary’s identity, and where relevant the identity of the beneficial owner, must take place at the time of payout. In the event of a full or partial assignment of the insurance policy in question to a third party, obliged entities must, where they are aware of the assignment, establish the identity of the beneficial owner when the value of the policy is transferred to the natural person, legal person or arrangement. Article 47 illustrates how AMLR adapts customer due diligence measures to the characteristics and risk profile of a specific sector.

Section 6 – Reliance on Customer Due Diligence Measures Carried Out by Other Obliged Entities

Articles 48–50, which appear in Section 6, regulate the conditions for relying on customer due diligence measures carried out by other obliged entities. The purpose of these provisions is to avoid repetitive customer identification procedures.

Article 48 – General Provisions on Reliance on Customer Due Diligence Measures Carried Out by Other Obliged Entities

Article 48(1) provides that obliged entities may rely on other obliged entities to meet customer due diligence requirements under Article 20(1)(a), (b) and (c). This applies whether the obliged entities relied upon are established within the Union or in a third country. However, this is subject to conditions. First, the entity relied upon must apply customer due diligence and record-keeping requirements corresponding to AMLR or, if it is established in a third country, rules equivalent to those requirements. Secondly, that entity’s compliance with AML/CFT requirements must be supervised in accordance with Chapter IV of Directive (EU) 2024/1640.

A central principle of Article 48 is that ultimate responsibility always remains with the entity that relies on the third party, namely the obliged entity making use of another obliged entity’s measures. Reliance on a third party therefore does not involve any transfer of legal responsibility, but rather a possibility to make operational use of measures already carried out.

Under Article 48(2), when deciding to rely on another obliged entity in a third country, obliged entities must take into account geographical risk factors under Annexes II and III to AMLR, together with guidance and information from the Commission, AMLA or other competent authorities.

Article 48(3) contains specific provisions for groups. Where an obliged entity forms part of a group, compliance with the requirements under Articles 48 and 49 may be ensured through group-wide policies and controls, provided that three conditions are met.

First, the obliged entity relying on another obliged entity and the entity relied upon must belong to the same group. In addition, the group must apply AML and CTF rules in its policies and procedures that are consistent with AMLR or equivalent third-country rules. Finally, implementation must be supervised at group level by the relevant supervisory authority. This is where third-party reliance is integrated into and regulated through group governance and internal control.

Article 48(4) prohibits obliged entities from relying on obliged entities established in third countries identified under Section 2 of the Chapter. An exception nevertheless applies to obliged entities established in the EU whose branches and subsidiaries are established in those third countries. In such cases, obliged entities may rely on those branches and subsidiaries provided that all the conditions in paragraph 3 are met.

Article 49 – Procedure for Reliance on Another Obliged Entity’s Customer Due Diligence Measures

Article 49 regulates the procedure that applies where an obliged entity relies on another obliged entity’s customer due diligence measures. Under Article 49, obliged entities must obtain all necessary information from the obliged entity concerning the customer due diligence measures referred to in Article 20(1)(a), (b) and (c), or concerning the business relationship that will be covered.

In addition, the obliged entity relying on another obliged entity for customer due diligence must take all necessary steps to ensure that, upon request and without delay, and always within a maximum of five working days, the entity relied upon provides the following:

• Copies of the information collected for the purpose of identifying the customer.
• The supporting documents or reliable information sources used to verify the customer’s identity. The same applies to the identity of the customer’s beneficial owners and persons acting on the customer’s behalf.
• All information concerning the purpose of the business relationship and its intended nature.

Under Article 49(4), the terms governing the transfer of information between the obliged entities must be set out in a written agreement. The requirement for an agreement enables a clear allocation of responsibility, regulation of information security and documentation of the parties’ commitments. Where the obliged entity relies on another obliged entity within the same group, it is possible to replace the written agreement with an internal procedure, provided that the conditions in Article 48(3) are satisfied.

Article 50 – Guidelines on Reliance on Other Obliged Entities’ Customer Due Diligence Measures

Article 50 provides that, by 10 July 2027, AMLA must issue guidelines to obliged entities on the following:

The application of the rules on reliance on other obliged entities’ customer due diligence measures. The guidelines are to specify in greater detail the conditions under which obliged entities may rely on information collected by another obliged entity, including situations where customer due diligence is carried out remotely.

The roles of the obliged entities involved and their responsibilities in situations where one entity relies on another obliged entity.

Supervisory methods for reliance on other obliged entities.

Articles 47–50: Sector-Specific Customer Due Diligence and Third-Party Reliance without a Shift in Liability

In conclusion, Articles 47–50 demonstrate how AMLR combines sector-specific regulation with a harmonised system of responsibility and control. While Article 47 tailors customer due diligence measures to the particular risk profile of the insurance sector, Articles 48–50 establish a clear framework for reliance on another obliged entity, enabling efficiency without displacing legal responsibility. The framework underlines that the use of customer due diligence measures carried out by other obliged entities is not an administrative simplification, but a risk-based decision requiring documentation, contractual clarity and ongoing oversight. For obliged entities, this means that customer due diligence forms an integral part of overall governance and internal policies under AMLR.

Against this background, Morling Consulting assists operators with qualified legal advice on AMLR. Through extensive regulatory expertise and experience in governance and control matters, we support organisations in developing robust internal frameworks, carrying out risk-based assessments and ensuring that implementation is consistent with both the Regulation’s requirements and supervisory expectations. Read more about our practice here.