In the coming years, the current Dutch Anti-Money Laundering and Counter-Terrorist Financing Act (Wwft) will bereplaced by new European anti-money laundering rules. This so-called AML framework consists of several pieces of regulation, including AMLR, AMLD6 and AMLAR.
In this article, we take a closer look at managing money laundering risks at group level. The AML framework marks a shift from a more entity-focused approach to a group-wide perspective on money laundering risks. This requires a critical review of policies, processes, and collaboration within corporate group structures.
The Wwft does not impose a mandatory group-wide approach, however in certain cases a practical obligation may apply in certain cases. For example, Article 2 Wwft stipulates that institutions with foreign entities (branches or majority-owned subsidiaries) in third countries must ensure compliance with Dutch AML rules, insofar as permitted by local legislation.
The Wwft also provides room for intra-group collaboration, such as under Article 35 Wwft, which allows for the sharing of information on unusual transactions within a group. However, this article also states that such sharing is allowed unless the FIU-NL decides otherwise. FIU-NL may prohibit information sharing if it could interfere with an ongoing investigation. Therefore, institutions must inform the FIU-NL before sharing such information within the group.
AMLR makes a group-wide approach mandatory. Parent companies will be held responsible for compliance with anti-money laundering obligations across the entire group, including foreign subsidiaries and branches in third countries.
This means, for instance, that a centralized compliance framework must be in place, including the appointment of a group-level compliance manager and, where necessary, a dedicated compliance officer. Group-wide policies, procedures, and controls must be implemented and centrally coordinated.
Under the AMLR, group entities are required to share relevant information with each other, including customer and transaction data, risk assessments, and reports to the FIU (where permitted). Group-wide risk assessments must be developed, and local risk analyses must align with them. Client risk classifications must demonstrably stem from these analyses and be consistent with group policy.
Group entities operating in third countries must comply with standards equivalent to those of the EU. If local legislation prevents this, the parent company must implement mitigating measures—or even consider terminating the relationship.
Institutions may need to revise and harmonize their compliance policies, clearly defining roles and responsibilities at the group level. IT systems and internal communication must be designed to enable secure and timely information exchange. Institutions should also prepare for supervision by both national regulators and the new European AML Authority (AMLA).
A thorough assessment is the foundation for meeting the future requirements of the AMLR. Consider the following steps:
As of 10 July 2024, the AMLR and AMLD6 have entered into force. Both the AMLR and AMLD6 will be largely applicable from 1 July 2027. Additionally, the Regulation establishing the European AML/CFT Authority (AMLAR) has entered into force as of 25 June 2024 and will be largely applicable from 1 July 2025.
The AMLA (EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism) will also have a more active role. One of AMLA’s tasks will be to develop guidelines and technical regulatory standards that will provide more clarity on the application and implementation of AMLR and AMLD6.
In the coming period, we will continue to closely monitor the developments and keep you informed via our website and our monthly newsletter. For example, a next time we will discuss the consequences for conducting client due diligence. You can sign up for our newsletter here:
If you have any questions in the meantime, please don't hesitate to contact us.
