Exemptions for financial activities, prior notification and internal controls under the AMLR

View as Markdown
10 mins read • Legal Writer • ANTI–MONEY LAUNDERING • 21 January 2026
  1. Article 6 AMLR – Exemptions for certain financial activities
  2. Article 7 AMLR – Prior notification of exemptions
  3. Article 8 AMLR – Cross-border activities and application of national law
  4. Article 9 AMLR – Internal policies, procedures and controls for enterprise wide risk assessment aml
  5. Scope of Articles 6–9 AMLR – implications for enterprise wide risk assessment aml
  6. Practical next steps – embedding enterprise wide risk assessment aml

The AMLR imposes far-reaching requirements on how organisations must structure their work to counter money laundering, terrorist financing and breaches of targeted financial sanctions. A central part of the Regulation is the requirement to manage AML risks within the EU.

In this third part of our blog series, we examine the Regulation’s rules on exemptions for certain financial activities, cross-border operations, and internal policies and controls under Articles 6–9. For affected organisations, this entails not only stricter formal requirements but also a practical need for structured compliance. At Morling Consulting, our AML lawyers focused on practical implementation support organisations in translating the Regulation’s requirements into workable processes, risk assessments and internal control systems aligned to the organisation’s actual risk exposure. The first part of the series on definitions, purpose and competent entities in the AML framework addresses Articles 1–3, which set out the AMLR’s overall purpose and scope. If you wish to explore the Regulation’s basic structure, we recommend beginning there.

Article 6 AMLR – Exemptions for certain financial activities

Article 6 is a central provision of the AMLR. It sets out the extent to which Member States may exempt legal and natural persons who engage only to a limited extent in financial activities from the Regulation’s requirements. Exemptions are permitted only where a number of cumulative criteria are met. To be compliant with the AMLR, all six criteria in Article 6(1) must be satisfied. Among other things, the requirements stipulate that the financial activity must be limited in absolute terms and restricted in respect of transactions. Taken together, these criteria mean that exemptions can be granted only in narrowly defined situations.

To ensure a restrictive application of exemptions, Member States must set several national thresholds tailored to the type of financial activity. These include the total turnover from the financial activity, which must be below a determined yet sufficiently low value. They also include an upper limit for individual transactions and customers, irrespective of whether this involves a single transaction or several linked transactions. In this respect, the threshold must be low enough to mitigate money-laundering and terrorist-financing risks and may not exceed EUR 1,000. In addition, turnover from the financial activity may never exceed five per cent of the person’s or undertaking’s total turnover. The limitations in Article 6 create a framework for how exemptions should be assessed and supervised.

Member States must apply Article 6 carefully and prudently. In a risk assessment, the nature of the financial activity must be specifically considered, including whether it is particularly exposed to misuse for money laundering or terrorist financing. Finally, Article 6 stipulates that Member States must take appropriate measures, or have risk-based supervision, to ensure that any exemptions granted are not abused.

Article 7 AMLR – Prior notification of exemptions

Under Article 7, Member States are required to notify the Commission without delay of all exemptions they plan to grant under Articles 4, 5 and 6. The notification must set out the proposed exemption together with a justification for why it should be granted. The justification must be based on a relevant risk assessment performed by the Member State.

The Commission is then given a two-month period to act and take a decision following the Member State’s notification. The Commission may approve the exemption or reject it by a reasoned decision, and may also request supplementary information from the Member State. Once the Commission has confirmed an exemption, Member States may decide to grant it and must set out the reasons for their decision at the time of granting. Member States must also review such decisions regularly.

The Commission must publish annually a list of all exemptions granted under this Article in the Official Journal of the EU and on its website. This results in a high level of transparency that strengthens trust in the EU’s risk management.

Article 8 AMLR – Cross-border activities and application of national law

Article 8 governs situations where obliged entities intend to conduct activities in another Member State. This is a core area of the AMLR, as cross-border activity can increase complexity and expose entities to additional risks within the EU. The provision aims to secure supervision, transparency and consistent application of the framework in cross-border contexts.

Where an obliged entity plans for the first time to conduct activities in the territory of another Member State, it must notify the supervisory authority in its home Member State. The notification must be made as soon as the entity takes steps to commence the activity and, in the case of establishment, no later than three months before operations begin. Once activities commence, this must be reported immediately to the home supervisory authority. These notification duties do not apply where specific notification procedures already apply or where the activity is subject to particular licensing requirements.

Article 8 also requires ongoing updates to the supervisory authority where notified information changes. Any planned change must be notified to the supervisory authority in the home Member State at least one month before implementation. This includes changes to the scope of activities, organisational structure or the manner in which services are provided.

The provision further clarifies how national law applies in cross-border situations. Where the AMLR allows Member States to adopt supplementary national rules, obliged entities must comply with the rules applicable in the Member State in which they are established. For obliged entities with establishments in several Member States, each establishment must apply the rules of the State in which it is located. This means that a group or business operating in multiple countries must manage parallel national frameworks and ensure compliance in each jurisdiction.

Article 8 also addresses the requirement for a central contact point. Where an obliged entity, under Directive (EU) 2024/1640, is required to appoint a central contact point in another Member State, that function must be capable of ensuring compliance with applicable law on behalf of the obliged entity. A central contact point, under Directive 2024/1640, may be required by a Member State and is intended to represent the obliged entity and ensure that the Member State’s AML framework is complied with. The contact point should also facilitate supervisory authorities by providing requested information.

Article 9 AMLR – Internal policies, procedures and controls for enterprise wide risk assessment aml

Article 9 of the AMLR sets out the fundamental requirements for obliged entities’ internal policies, procedures and controls. The provision is central to the Regulation as it specifies how obligations under the AMLR must be operationalised within each business. Its purpose is to ensure that obliged entities can, in a systematic, proportionate and documented manner, identify, manage and reduce risks of money laundering, terrorist financing and risks linked to the circumvention or non-implementation of targeted financial sanctions.

The starting point in Article 9 is that every obliged entity must have internal policies, procedures and controls in place that are proportionate to the nature, size, complexity and risk profile of the business. The Article aims to ensure compliance with the Regulation, with Regulation (EU) 2023/1113, and with any administrative acts issued by a supervisory authority. The policies must cover all parts of the business within scope and specifically aim to reduce and manage risks identified at Union, national and entity level. They must also ensure compliance with obligations connected to targeted financial sanctions. Obliged entities must reduce and manage the risk of targeted financial sanctions being avoided or not implemented. This is integral to an effective enterprise wide risk assessment aml.

The internal policies and procedures must cover, among other things, how the enterprise-wide risk assessment is conducted and kept up to date, how the entity’s risk-management framework is designed, and which customer due diligence measures are applied. This includes procedures to identify and manage customers, beneficial owners and other relevant parties who are politically exposed persons or connected to such persons. The policies must also govern how suspicious transactions are reported, how outsourcing is managed and the extent to which other obliged entities’ due diligence may be relied upon. Where appropriate, organisations may address outsourced aml compliance in their governance model, ensuring that outsourced arrangements are risk-based and transparently controlled.

Article 9 also requires clear rules for the retention and processing of data, particularly with regard to the requirements on the processing of personal data under Articles 76 and 77 of the AMLR. Another key element is the requirement for internal dissemination of the policies throughout the organisation. The policies must be known not only to management and compliance functions but also communicated to agents, distributors and external service providers involved in AML measures. Staff training is another core component, as the Article requires policies for training employees and, where applicable, agents and distributors. Such training should embed practical understanding of the entity’s customer due diligence measures as part of an effective enterprise wide risk assessment aml.

To ensure that policies and procedures are followed in practice, Article 9 requires internal controls and an independent audit function. This function must regularly review both the policies and the controls introduced. Where the business lacks an internal audit function, the review may instead be performed by an external expert. In such cases, expectations for outsourced aml compliance and assurance arrangements should be clearly documented.

Article 9 contains an express requirement that internal policies, procedures and controls be documented in writing. The policies must be approved by the management body in its management function, while internal procedures and controls must as a minimum be approved by the head of compliance. This underlines the leadership’s responsibility for compliance and makes clear that AML is a governance matter, not merely an operational function.

Finally, Article 9 requires obliged entities to keep their policies and controls continuously up to date. Where shortcomings are identified, the policies must be improved and adapted. The provision also looks to future harmonisation by stating that the European supervisory authority AMLA must, by 10 July 2026, issue guidelines on the factors obliged entities should consider when determining the scope of their internal policies and controls.

Scope of Articles 6–9 AMLR – implications for enterprise wide risk assessment aml

Articles 6–9 of the AMLR form a structure that combines exemption rules, transparency requirements and extensive internal controls. They are central to understanding how the EU addresses risk and ensures that exemptions do not weaken the effectiveness of the framework.

For organisations, this means that the handling of internal policies and cross-border services must be carried out with great care. Morling Consulting supports businesses in implementing appropriate structures, performing risk assessments and ensuring compliance with the EU AMLR.

Practical next steps – embedding enterprise wide risk assessment aml

For obliged entities, the AMLR requires that work to counter money laundering and terrorist financing be both structured and well documented. It is not enough to have policies on paper – they must be embedded operationally and subject to ongoing follow-up. Crucially, internal policies must be aligned to the real risk profile so that resources are directed where risks are greatest. By reviewing governance, reporting lines and internal control now, future supervisory issues can be avoided.

Many organisations already have parts of these structures in place but need support to adapt them to the AMLR’s more detailed requirements. An external perspective can help identify gaps, prioritise actions and translate the framework into practical, workable processes. At Morling Consulting, our AML lawyers work alongside the business to build sustainable compliance frameworks that function day-to-day.

The next part of the series is available here: AMLR: Centralised mechanisms and information-sharing – risk assessment, compliance and organisation.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more