Question ID:
Legal Act:
Directive (EU) 2015/849 (AMLD)
Third country policy
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries
Art 4, paragraph 1, subparagraph c.
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Retroactivity concerning customer consent for data sharing and processing

Is there the expectation that such consent clauses, under Article 4 of the Delegated Regulation, be incorporated into contracts on a go-forward basis from the date the Regulation entered into force (i.e. with new customers and existing customer contract renewals) or is there the expectation that all existing customer contracts will be remediated to meet this requirement? What approach should be used with former customers?

Background on the question:

According to Article 4 of the EU Delegated Regulation 2019/758, branches and majority-owned subsidiaries (in third countries) of credit and financial institutions must attempt to obtain the consent of the customer where a third country's law prohibits or restricts the sharing or processing of customer data within the group for AML/CFT purposes.

It is unclear if the requirements in this Article are to be applied retroactively (e.g. via a remediation exercise) or only on a go-forward basis. It is also unclear if former customers are in scope (where the likelihood is high that consent could be rejected) and the term to implement the Delegated Regulation (3 months) is too short to get the consent of such customers.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 8 of Directive (EU) 2015/849 (AMLD) requires obliged entities to put in place and maintain policies and procedures to identify, assess and manage the Money Laundering (ML)/Terrorist Financing (TF) risk to which they are exposed.


ML/TF risk management is an ongoing process. Article 8 of the AMLD explicitly requires obliged entities' ML/TF risk assessments to be ‘kept up-to-date’. Further, Article 14(5) of the AMLD requires obliged entities to ‘apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis’.


Consequently, credit institutions and financial institutions should take steps to ensure that they comply with the legal AML/CFT obligations in relation to all business relationship, irrespective of when these business relationships commenced. When applying new AML/CFT controls to existing business relationships, credit institutions and financial institutions should take a risk-sensitive approach.  For example, by extending new AML/CFT controls to ‘higher risk’ business relationships in the first instance.


Article 45 of the AMLD requires obliged entities that are part of a group to implement group-wide policies and procedures. These group-wide AML/CFT policies and procedures include policies and procedures for sharing information within the group for AML/CFT purposes. Sharing customer data within the group supports effective, ongoing ML/TF risk identification and management at the level of the group. It is also necessary to enable competent authorities effectively to supervise the group's compliance with the AMLD’s requirements.


Article 4 of the Commission Delegated Regulation (EU) 2019/758  sets out  the requirements for credit institutions and financial institutions, that are part of a group, where a third country’s law limits the group's ability to access, process or exchange information related to customers of branches or majority-owned subsidiaries in the third country. This includes requiring customers and their beneficial owners to consent to their data being shared within the group.

In light of the considerations set out above, where the Delegated Regulation applies and where:

  1. the credit institution or financial institution has established in line with Article 4(1)b of the Delegated Regulation that consent from the customer and/or beneficial owner can be used to legally overcome the restrictions or prohibition on sharing of customer data within the group, and
  2. a credit institution or financial institution has a branch or majority-owned subsidiary in a third country jurisdiction whose laws do not permit the sharing or processing of customer data for AML/CFT purposes within the group,
  3. this branch or majority-owned subsidiary has a customer who was
  1. onboarded before Commission delegated regulation (EU) 2019/758 entered into force, and
  2. not required at the time of onboarding to give consent to their data being shared,

the credit institution or financial institution has to take steps to amend the customer’s contract in line with the provisions in Article 4(1)(c) of the Delegated Regulation. Until then, the credit institution or financial institution should follow the steps set out in Article 4(2) of the Delegated Regulation.

Final Q&A