EU AML Package Alert: Possible review of existing outsourcing processes needed

The European Anti-Money Laundering Regulation (AMLR) brings changes to the way institutions outsource compliance-related tasks. While the current Dutch Anti-Money Laundering and Counter-Terrorist Financing Act (Wwft) already imposed strict requirements, the AMLR introduces additional obligations and restrictions. This calls for a review of existing outsourcing processes. But what does this mean specifically for your organisation? In this thematic article, we take a closer look.

Stricter requirements and new obligations for outsourcing

The AMLR tightens the rules on outsourcing: institutions must notify their supervisor in advance about outsourcing and demonstrate that external parties comply with AMLR-standards. Additionally, institutions remain fully responsible, same as under the Wwft, but the AMLR makes this more explicit and imposes stricter control requirements. There are restrictions on outsourcing to service providers in (high-risk) third countries, and institutions must periodically assess whether their service providers remain compliant.

The AMLR also introduces a list of tasks that cannot be outsourced, such as:

• The approval of internal policies, procedures, and controls.
• The decision on the risk profile to be attributed to the client 
• The decision to enter into a business relationship 
• The Reporting of suspicious activities to the FIU.

Failure to comply with the new obligations may result in sanctions and reputational damage.

Practical consequences: How to adjust your outsourcing policy?

Institutions may need to review their outsourcing policies and take additional compliance measures. Contracts with external service providers may need to be adjusted, internal processes reviewed, and reporting requirements tightened in order to effectively monitor—and intervene if necessary—regarding the timeliness, continuity, and reliability of these parties’ services.

Opportunities for a strong AML compliance strategy

Although the AMLR imposes stricter requirements, it also provides an opportunity to improve your compliance approach and to better manage the related risks:

• Better control over outsourcing: A revised policy provides more grip on external partners and processes.
• More efficient risk management: Stronger internal structures help to minimise risks.
• Smarter technology: Automation can help with compliance and reporting.
• Legal optimisation: Reviewing contracts prevents future bottlenecks.
• Reassessment of outsourcing: For institutions that currently outsource few or no tasks, the AMLR provides a natural benchmark to evaluate whether certain tasks can be allocated externally in a more efficient and effective way

By making timely adjustments, you not only avoid sanctions but also build a more robust compliance structure.

Status and timelines of the AML framework

As of 10 July 2024, the AMLR and AMLD6 have entered into force. Both the AMLR and AMLD6 will be largely applicable from 1 July 2027. Additionally, the Regulation establishing the European AML/CFT Authority (AMLAR) has entered into force as of 25 June 2024 and will be largely applicable from 1 July 2025.

The AMLA (EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism) will also have a more active role. One of AMLA’s tasks will be to develop guidelines and technical regulatory standards that will provide more clarity on the application and implementation of AMLR and AMLD6.

In the coming period, we will continue to closely monitor the developments and keep you informed via our website and our monthly newsletter. You can sign up for our newsletter here: