George Filippakis

A multidiscliplinary approach to Law, Finance and Technology

Outsourcing AML Functions Under the EU AML Framework: A Practical Guide for Obliged Entities

Outsourcing has become a defining feature of modern compliance operating models. Banks, payment institutions, crypto-asset service providers (CASPs), investment firms, e-money institutions, insurers and other regulated entities increasingly rely on third-party providers for onboarding, screening, KYC remediation, sanctions filtering, transaction monitoring technology, adverse media checks and other compliance-related functions.

The reasons are obvious: scaling compliance internally is expensive, specialist expertise is scarce, and technology-driven AML solutions evolve rapidly. Outsourcing can improve efficiency, reduce operational burdens and provide access to specialised tools and expertise that many firms could not otherwise build internally.

However, outsourcing AML functions is not without regulatory risk.

Under the EU anti-money laundering framework, outsourcing does not transfer responsibility. The obliged entity always remains ultimately accountable for compliance failures, regardless of whether the relevant task was performed internally or by an external provider.

This article provides a practical and comprehensive overview of AML outsourcing under the current Anti-Money Laundering Directive framework (“AMLD“) and the forthcoming Anti-Money Laundering Regulation (“AMLR“), including:

  • the distinction between outsourcing and reliance on third parties;
  • which AML functions may and may not be outsourced;
  • governance and oversight expectations;
  • practical compliance considerations;
  • the relevance of the EBA Outsourcing Guidelines;
  • key changes introduced by the AMLR; and
  • operational recommendations for AML and compliance professionals.

Understanding AML Outsourcing: The Regulatory Starting Point

The current EU AML framework recognises that certain customer due diligence (“CDD“) activities may be performed by third parties.

Under Article 25 of the Fourth AML Directive (Directive (EU) 2015/849), Member States may permit obliged entities to rely on third parties to perform certain CDD measures. However, the Directive is explicit that:

the ultimate responsibility for meeting those requirements shall remain with the obliged entity which relies on the third party“.

This principle is fundamental.

A regulated firm cannot outsource liability. It can outsource performance of tasks, but not accountability for compliance.

This distinction is particularly important in enforcement practice. Regulators consistently expect firms to demonstrate that they:

  • understand how outsourced AML controls operate;
  • retain effective oversight;
  • can independently assess the adequacy of outsourced controls; and
  • can evidence compliance at all times.

In practice, supervisors increasingly challenge firms that adopt “black-box compliance” models where critical AML activities are delegated to vendors without meaningful internal understanding or oversight.

Which AML Functions Can Be Outsourced Under the AMLD?

Article 25 AMLD permits reliance on third parties for the CDD requirements contained in Article 13(1)(a), (b) and (c):

(a) Customer Identification and Verification. This includes:

  • identifying the customer; and
  • verifying the customer’s identity using reliable and independent documentation or information.

Examples of point (a) include digital identity verification providers, eKYC vendors, document authentication providers, biometric verification tools and onboarding service providers.

(b) Beneficial Ownership Identification and Verification. This includes:

  • identifying beneficial owners;
  • taking reasonable measures to verify their identity; and
  • understanding ownership and control structures.

Point (b) becomes particularly relevant for complex corporate structures, trusts and foundations and various investment vehicles.

(c) Understanding the Purpose and Intended Nature of the Business Relationship. This includes obtaining and assessing information relating to:

  • expected account activity;
  • source of wealth or source of funds indicators;
  • intended products/services;
  • customer risk profiles;
  • expected jurisdictions and transaction patterns.

What Cannot Be Outsourced Under the AMLD?

A critical limitation exists in Article 13(1)(d) AMLD.

The provision relating to ongoing monitoring is not included within the scope of Article 25 third-party reliance.

This means that the following elements may not be performed by a third party, pursuant to Article 25:

  • ongoing monitoring of the business relationship;
  • transaction monitoring;
  • scrutiny of customer transactions;
  • ensuring transactions remain consistent with the customer profile;
  • updating customer information;
  • ongoing risk reassessment.

In practical terms, this means that obliged entities must retain substantive control over ongoing monitoring functions.

Some firms may incorrectly assume that because they use external transaction monitoring software or external AML operations support, they have effectively outsourced the entire monitoring obligation. However, under the current AMLD framework, the obliged entity itself must remain operationally and substantively responsible for ongoing monitoring decisions.

A firm may use third-party software, cloud infrastructure, external analysts etc. but the firm itself must retain:

  • governance,
  • decision-making authority,
  • escalation control,
  • SAR/STR responsibility,
  • risk calibration,
  • monitoring oversight.

This distinction is extremely important during regulatory inspections.

Outsourcing vs Third-Party Reliance: A Critical Distinction

AML professionals often use the terms interchangeably, but legally and operationally they are fundamentally different concepts.

Third-party reliance refers to situations where one obliged entity relies on another obliged entity’s CDD measures. For example, a bank relying on another regulated entity’s onboarding structures, or an investment firm relying on a credit institution’s CDD.

This concept is specifically regulated under Article 25 AMLD and Articles 48–50 AMLR.

Outsourcing, on the other hand, is broader. While it is not explicitly defined in AMLD, it usually refers to delegating operational tasks or processes to external service providers. Examples include:

  • outsourced KYC operations;
  • sanctions screening vendors;
  • AML software providers;
  • cloud-hosted monitoring systems;
  • external compliance analysts;
  • managed AML review teams.

Outsourcing does not necessarily require the service provider to be an obliged entity.

This distinction becomes clearer under the AML Regulation, which introduces separate and more detailed regimes for (a) outsourcing to service providers and (b) reliance on other obliged entities.

The EBA Outsourcing Guidelines: Why They Matter for AML Functions

Although the EBA Guidelines on Outsourcing Arrangements were not drafted specifically for AML compliance, they are highly relevant for AML outsourcing structures.

The Guidelines apply broadly across financial institutions, including banks and payment institutions.

The Guidelines establish a comprehensive governance framework for outsourcing arrangements and are increasingly used by supervisors when assessing outsourced AML functions. Core principles include:

  • outsourcing must not create “empty shell” institutions;
  • management bodies retain full responsibility;
  • firms must maintain effective oversight;
  • outsourcing must not impair supervision;
  • critical or important functions require enhanced safeguards.

These principles are highly relevant in AML contexts.

From a governance perspective, the following should be considered when developing AML outsourcing arrangements:

  • The management body must retain effective day-to-day oversight of outsourced AML operations.
  • Firms should maintain a documented outsourcing framework that includes:
    • outsourcing approval process;
    • risk assessment methodologies;
    • vendor classification criteria;
    • escalation procedures;
    • contractual standards;
    • monitoring obligations;
    • audit rights;
    • termination processes.
  • Any outsourcing framework / policy should be fully aligned with the entity’s risk profile, operational complexity and customer base, among others.
  • Firms should classify outsourced functions according to (among others) operational criticality, ML/TF exposure, data sensitivity, customer impact and regulatory significance. EBA Guidelines place significant emphasis on identifying “critical or important functions”. AML onboarding, sanctions screening and transaction monitoring systems will frequently qualify as critical or important functions in practice.
  • Before entering into an outsourcing arrangement, firms should assess factors such as expertise and competence, regulatory standing, financial stability and technological resilience.
  • The firm should retain access to records, audit rights, inspection rights and information rights. Without adequate access rights, supervisors may consider the outsourcing arrangement non-compliant.
  • A compliant outsourcing framework requires credible exit planning. Firms should be able to transition to another provider, reintegrate functions internally, maintain operational continuity and avoid service disruption.

The Risk-Based Approach Remains Central

As with all AML obligations, outsourcing arrangements are subject to the risk-based approach.

Practically, this means that:

  • higher-risk firms require stricter controls;
  • higher-risk outsourcing arrangements require enhanced oversight;
  • cross-border outsourcing may require enhanced due diligence;
  • outsourcing involving high-risk jurisdictions requires heightened scrutiny.

Supervisors will expect the sophistication of the outsourcing framework to reflect:

  • the firm’s size;
  • complexity;
  • customer base;
  • product offering;
  • geographic exposure;
  • ML/TF risk profile.

For example, a small domestic payment institution may operate a relatively simple outsourcing framework, whereas a cross-border crypto exchange onboarding high-risk customers globally will require significantly more robust controls.

AML Outsourcing Risks That Firms Often Underestimate

One of the most underestimated AML outsourcing risks is overreliance on external vendors. Regulators frequently raise concerns where firms lack the internal expertise necessary to properly challenge, oversee, or assess outsourced AML controls, as this can lead supervisors to conclude that governance arrangements are ineffective.

At the same time, many firms depend on the same limited group of cloud providers, KYC vendors, screening tools, and blockchain analytics providers, creating significant concentration risk across the sector, particularly within crypto markets. The EBA Guidelines specifically warn firms about the dangers of excessive dependence on a small number of providers and the systemic vulnerabilities this can create.

Another frequently overlooked issue is sub-outsourcing risk. Firms often fail to recognise that outsourced providers may themselves subcontract parts of the service chain, which can reduce operational visibility, fragment accountability, increase data transfer risks, and introduce additional operational vulnerabilities. To mitigate these concerns, outsourcing agreements should clearly define the circumstances in which sub-outsourcing is permitted, together with robust notification and oversight obligations to ensure firms retain sufficient control over outsourced AML functions.

The AML Regulation (AMLR): A More Detailed Future Framework

The new AML Regulation (Regulation (EU) 2024/1624) introduces a significantly more harmonised and detailed framework for outsourcing and reliance arrangements. This is one of the most important structural developments in EU AML law.

Article 18 AMLR expressly permits the outsourcing of AML tasks to third-party service providers, but it also imposes several important safeguards. In particular, obliged entities must notify their supervisor before the outsourced provider begins performing the relevant AML function. This represents a significant operational development and signals that supervisors are likely to scrutinise AML outsourcing arrangements proactively, rather than only reacting after issues arise.

Crucially, Article 18(2) AMLR reinforces the principle that full responsibility for outsourced AML functions remains with the obliged entity. The regulation goes further than previous AMLD requirements by requiring firms to demonstrate that they understand the rationale behind the outsourced activities, the provider’s methodology, and the way the controls mitigate specific money laundering and terrorist financing risks. In practice, this effectively prohibits “blind outsourcing” and means firms must maintain genuine operational understanding and oversight of all outsourced AML controls.

AMLR Articles 48-50: Reliance on Other Obliged Entities

The AMLR also introduces a significantly more detailed framework governing reliance on other obliged entities for customer due diligence measures. Under Article 48 AMLR, firms may rely on another obliged entity to perform certain CDD measures, provided that the other entity applies equivalent AML/CFT standards, is subject to appropriate supervision, and that ultimate responsibility for compliance remains with the relying entity.

In addition, the AMLR establishes further safeguards relating to third-country risk exposure, group-wide reliance arrangements, written contractual agreements, and the timing of information sharing between parties. These requirements are designed to ensure that reliance arrangements are supported by sufficient transparency, oversight, and control, rather than allowing firms to outsource or delegate AML obligations without maintaining effective accountability.

One particularly important operational requirement under the AMLR appears in Article 49, which requires the obliged entity being relied upon to provide relevant information and documentation “without delay and in any case within 5 working days”. This introduces a clear and enforceable timeframe for the exchange of customer due diligence information between firms relying on third-party arrangements.

Group-Wide Reliance Under the AMLR

The AMLR also provides greater clarity regarding reliance arrangements within group structures. Group entities may rely on one another where effective group-wide AML policies are in place, equivalent AML standards apply across the group, and appropriate supervision is conducted at group level. This is particularly significant for multinational banking groups, payment institution groups, and crypto businesses operating across multiple jurisdictions, where centralized compliance models are common.

At the same time, firms should not assume that intragroup outsourcing or reliance arrangements are inherently lower risk. The EBA Guidelines expressly warn that intragroup arrangements may still create conflicts of interest, concentration risk, and governance weaknesses. As a result, firms must ensure that intragroup AML arrangements remain subject to the same level of oversight, control, and risk assessment as outsourcing relationships involving external third parties.

Conclusion

AML outsourcing is no longer viewed merely as an operational matter. It has become a central governance and regulatory risk issue within the evolving EU AML framework. EU supervisors are expecting greater scrutiny of outsourcing arrangements, stronger accountability, enhanced operational resilience, stricter governance standards, and more comprehensive documentation. The forthcoming Anti-Money Laundering Regulation (AMLR) is therefore likely to significantly reshape how obliged entities structure both outsourcing and reliance arrangements across the EU financial sector.

While outsourcing may improve efficiency, scalability, and access to specialist expertise, it does not reduce regulatory responsibility. Firms that are most likely to succeed under the new EU AML framework will be those that approach outsourcing not as a transfer of compliance obligations, but as a carefully governed extension of their own internal control environment.

Related tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *