Executive Summary
- What’s new: On 16 April 2026, AMLA published a consultation paper setting out draft regulatory technical standards that will in particular require certain EU entities of third-country groups to take responsibility for the wider group’s AML/CFT compliance framework.
- Why it matters: The draft standards will operationalise key Anti-Money Laundering Regulation groupwide requirements for groups and certain group-equivalent structures across the financial and nonfinancial sectors. They could materially affect governance, compliance functions, intragroup data sharing, the handling of third-country legal impediments and the identification of a “parent undertaking in the Union.”
- What to do next: Affected groups should monitor the finalisation of the draft standards. Although the standards will become binding only once finalised and adopted, the key compliance timeline is already taking shape: Most identified parent undertakings will be required to notify their competent supervisory authority of their role by 10 December 2027. Third-country groups with multiple EU subsidiaries or branches should use this period to assess which EU entities are obliged entities, whether those entities could bring the wider group within scope and which entity may be deemed the parent undertaking in the Union.
__________
Background
On 16 April 2026, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) published a consultation paper setting out Draft Regulatory Technical Standards (the Draft RTS) which will, in particular, require certain EU entities of third-country groups to take responsibility for the wider group’s AML/CFT compliance framework, including by identifying a “parent undertaking in the Union” where a third-country-headquartered group has multiple EU obliged entities and no EU obliged-entity parent in the Union.
The Draft RTS specifies minimum groupwide AML/CFT requirements as well as additional measures and supervisory actions applicable to branches and subsidiaries of obliged entities (i.e., entities subject to the requirements of the Anti-Money Laundering Regulation (AMLR)) operating in third countries. The AML package establishes a directly applicable, harmonised EU framework for AML/CFT obligations.
A central component of this framework concerns the governance of groups operating across multiple jurisdictions, where consistent application of AML/CFT standards has historically proved difficult to achieve. Article 16 AMLR requires “parent undertakings” to implement uniform policies, procedures and controls for the group, to establish a dedicated group compliance function, and to ensure effective information sharing within the group. These measures aim to enable “obliged entities” to identify and mitigate cross-border money laundering and terrorist financing risks more effectively.
Article 17 AMLR supplements these requirements by addressing an ongoing practical challenge where branches or subsidiaries in third countries cannot fully comply with AMLR requirements due to local legal barriers.
Following the expiration of the consultation period, several industry comments on the consultation were recently published, expressing significant concerns regarding their legal certainty, proportionality and practical feasibility.
Head Office Located Outside the Union: Identifying the Parent Undertaking
The entity ultimately responsible for implementing and monitoring the groupwide AML/CFT framework is the “parent undertaking.” The classification of the parent undertaking varies between groups with European-based head offices and third-country groups that have European-based subsidiaries that qualify as “obligated entities.”
If there are at least two obliged entities that have the same ultimate parent with a head office in a third country and they are not subsidiaries of an obliged entity established in the Union, a parent undertaking in the Union must be identified applying the criteria set out below.
First Criterion: Sufficient Prominence
The first criterion identifies the obliged entity with “sufficient prominence.” Priority is given to the relevant holding company at the highest level of consolidation in the Union (e.g., a financial holding company or insurance holding company). Where no such holding company exists, prominence is determined by the higher of
- the average number of “customers” on 31 December over the previous three years, or
- the average amount of “incoming and outgoing transactions” over the same period.
If these quantitative criteria are inconclusive, the fallback is the entity with the highest total annual turnover.
Second Criterion: Sufficient Understanding of Operations
The second criterion examines “sufficient understanding of operations” assessed by reference to whether the entity has the right or ability to
- decide on strategy or direct the activities of other obliged entities in the Union,
- decide on important transactions, including profit/loss transfers,
- coordinate management or control functions, or
- has critical outsourcing arrangements in place for other obliged entities.
Where inconclusive, the fallback is the obliged entity established in the EU with the highest number of full-time equivalent compliance staff. Importantly, where this determination leads to a different entity than the one with sufficient prominence, the prominence criterion prevails.
The Draft RTS also introduce a detailed notification and supervisory validation procedure in connection with the identification of the parent entity for third-country groups.
Extensiveness of the Group Definition
During the public hearing held as part of the consultation, AMLA stated its view that the requirement to identify a parent undertaking also applies where the EU-based obliged entities do not belong to the same subgroup of a corporate group with its head office in a third-country. This means that, even where a third-country group has one obliged entity in its financial services arm and another obliged entity in an operationally separate sector, one of those obliged entities would have to be designated as the parent undertaking.
AMLA acknowledges that, in such a case, the designated parent undertaking would have no legal means, from a corporate perspective, to compel compliance with the group requirements. AMLA considers that the affected groups have sufficient time to resolve these issues. In our view, a contractual arrangement between the obliged entities (comparable to an outsourcing arrangement) would be a potential solution, granting the designated parent undertaking the rights necessary to enforce the group requirements.
Several consultation respondents emphasise that a group should not extend beyond a parent undertaking, its subsidiaries and undertakings linked to each other; AMLA’s proposals as drafted could result in entities without influence over or understanding of affiliates being designated as parent undertakings of those affiliates. It remains to be seen whether AMLA will address these concerns in the finalised RTS.
Extension to ‘Group-Equivalent’ Structures
Section 6 of the Draft RTS represents a significant development, particularly for the nonfinancial sector. The Draft RTS extend groupwide requirements beyond traditionally defined corporate groups to structures that, while not formally organised as groups, share common ownership, management or compliance control, including networks, partnerships and franchises.
Criteria for Identifying the Parent Undertaking
The Draft RTS establish criteria for identifying the parent undertaking for the purpose of applying the AMLA group requirements in the Union for structures other than groups, such as networks, partnerships or franchises where two or more obligated entities operate under common ownership, management or compliance controls. Unlike the criteria for formal groups, the designated parent undertaking in these structures may be a non-obliged entity.
The determination is based on whether the entity:
- has the right or ability to decide on strategy or direct activities;
- can decide on important transactions, including the transfer of profits or losses;
- coordinates the management of obliged entities in the structure;
- provides essential technical information or critical services that cannot be replaced in a timely fashion without excessive cost;
- manages the compliance control or system of obliged entities;
- manages the costs of operational and compliance activities; or
- develops, manages, distributes or reviews branding, marketing, franchising, partnership or network arrangements.
Where these criteria do not conclusively determine the parent undertaking, the entity with the highest total annual turnover is designated.
Though certain arrangements — such as pure cooperation agreements, arrangements limited to common technical tools, knowledge sharing, customer referrals, exchanges of best practices, the same name or branding alone, or outsourcing of compliance to the same service provider — are expressly excluded from the scope of the “group-equivalent structures,” the industry feedback criticises the scope fervently. The main argument is that structures could be captured that do not warrant group wide AML/CFT obligations, “including purely contractual or investment relationships without sufficient control, coordination or integration to justify such obligations,” stressing that concepts like common management and control should remain aligned with existing prudential and accounting frameworks.
Minimum Groupwide Requirements
Groupwide Policies, Procedures and Controls
Article 16 AMLR requires parent undertakings to establish and implement groupwide policies, procedures and controls. Section 2 of the Draft RTS sets out the following minimum requirements for this purpose, which include:
- Implementing and maintaining an organisational and coordination structure at group level with sufficient decision-making powers for the group compliance manager and officer.
- Ensuring that the management body and control functions receive necessary information.
- Identifying and mitigating conflicts of interest between risk management and commercial functions.
- Carrying out and updating a group-level, businesswide risk assessment.
- Ensuring regular documented information exchanges between compliance functions, the management body and control functions.
- Ensuring that groupwide policies, procedures and controls — designed to account for group-specific risks (including entity-level risks and their interrelations, outsourcing and reliance arrangements, and heightened ML/TF and sanctions evasion risks in third-country branches or subsidiaries) — incorporate measures to address noncompliance and are adequate to the actual structure, composition and operations of the group, appropriately reflecting the individual situation of each entity and branch.
Compliance and control functions must regularly review the effectiveness of groupwide policies, procedures and controls and address any identified deficiencies. Groupwide internal policies must be approved by the management body of the parent undertaking, and procedures and controls at least by the group compliance manager. All groupwide policies must be documented, kept up to date and available to supervisors upon request.
AMLA states in the consultation that the Draft RTS “contain a strong focus on the principle of proportionality” as:
- The level of detail and elaboration of groupwide requirements should be commensurate with the size, complexity and risk profile of the group or structure.
- Parent undertakings and obliged entities may calibrate aspects of the framework (e.g., scope of group compliance engagements, depth of information‑sharing policies) to their specific risks.
However, some of the feedback received during the consultation argues that the proposed text does not reflect the principle of proportionality sufficiently and that it introduces new requirements for which there is no explicit legal basis in the AMLR.
Information Sharing Within Groups
Section 3 of the Draft RTS sets out a comprehensive but non-exhaustive list of information that must be shared within groups for the purposes of preventing money laundering, terrorist financing, and the non-implementation or circumvention of targeted financial sanctions, including:
- Information on customer due diligence.
- Information on transactions, services and activities.
- information on risk assessments.
- Information on suspicious transaction and activity reporting.
- Other relevant information (i.e., on the implementation of groupwide policies or interactions with supervisors).
Though information may only be shared on a need-to-know basis and in line with data protection and other applicable confidentiality requirements, the industry feedback criticises the prescriptiveness of the section and raises concerns regarding inconsistencies with both the risk-based approach and the principle of data minimisation under the General Data Protection Regulation (GDPR).
Branches or Subsidiaries Located Outside the Union: Additional Measures
In cases where an EU parent undertaking or obliged entity identifies that third-country laws do not permit or restrict compliance with the AMLR in any of the following areas, additional measures as set out in Section 4 of the Draft RTS have to be taken:
- Individual risk assessments and customer due diligence.
- The sharing or processing of customer data within the group.
- The disclosure of information related to suspicious transaction reports.
- The sharing of customer data with EU supervisors.
- The application of record retention rules.
The identification of any such impediment activates a mandatory notification to the home member state supervisor within a fixed period of 28 calendar days, specifying both the country concerned and the precise nature of the restriction.
Escalation Framework
To address such impediments, the Draft RTS impose a tiered escalation approach. As a first step, the obliged entity must determine whether obtaining customer consent (and, where relevant, beneficial owner consent) can legally overcome the restriction, and must require such consent to the extent compatible with the third country’s law.
Where consent is not feasible, the entity must adopt one or more additional measures. These include:
- Restricting the branch or subsidiary’s product and service offering to low-risk activities.
- Prohibiting reliance on customer due diligence performed by the affected branch.
- Conducting enhanced on-site reviews or independent audits.
- Requiring senior management preapproval for higher-risk business relationships.
- Documenting sources of funds and wealth.
- Carrying out enhanced ongoing monitoring.
- Ensuring risk profiles and due diligence information remain up-to-date.
Additional measures must be determined on a risk-sensitive basis, and the obliged entity must inform the supervisor of its home member state without undue delay of such measures; provided that the scope of the added measures is proportionate to the risk.
Where these measures prove insufficient to manage money laundering and terrorist financing risk effectively, the Draft RTS require more drastic action: The branch or subsidiary must terminate affected business relationships, cease occasional transactions, or close down some or all operations in the jurisdiction.
Additional Supervisory Actions
Where the home supervisor concludes that an obliged entity’s additional measures are inadequate, it may take further supervisory action under Article 16 of the Draft RTS. Such action includes requiring the entity to submit and implement a risk mitigation plan within a specified period, or directing it to put corrective measures in place. If the risks remain unmanageable, or the entity fails to act within the prescribed period, the supervisor may impose more stringent interventions, including:
- prohibiting new business relationships at the third-country location,
- requiring the reduction or termination of existing relationships, or
- ordering the closure of operations in the affected jurisdiction.
In doing so, supervisors must have regard to the nature and gravity of the identified risks, the extent of the legal impediments, and the entity’s existing governance and control framework.
Sanctions and Enforcement
For serious or repeated violations, the Anti-Money Laundering Directive (AMLD) requires the implementation of fines of at least twice the amount of the benefit obtained or €1 million may be imposed; for financial institutions, the minimum is €10 million or 10% of annual turnover. The AMLA guidelines on the base amounts for imposing fines, which are to be published later in July, are expected to serve as the first point of reference.
Transitional Provisions
Identified parent undertakings must notify the competent supervisory authority of their role by 10 December 2027. For obliged entities, this transition period provides an opportunity to assess applicability, identify the parent undertaking and establish the necessary governance arrangements.
Research assistant Laura Wagner contributed to this article.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

For further information, please contact:
Sebastian J. Barling, Partner, Skadden
sebastian.barling@skadden.com




