It is one of the most common questions we hear from compliance officers at EU-regulated financial institutions: is it actually permitted to outsource AML and KYC functions? Will the regulator accept it? Could it expose us to liability?
The short answer is yes, it is explicitly permitted. The longer answer is that it must be done correctly, and the conditions are specific.
Outsourcing of AML and KYC functions is governed by two principal instruments at EU level.
Article 25 of the Sixth Anti-Money Laundering Directive (AMLD6) establishes the right of obliged entities to use third parties to carry out customer due diligence obligations. It sets out the conditions under which this is permitted and makes clear that ultimate responsibility for compliance remains with the obliged entity, regardless of who carries out the work.
EBA/GL/2021/05, the European Banking Authority's guidelines on internal governance, addresses outsourcing of compliance functions including AML. It establishes the governance framework that regulated entities must put in place when they outsource these functions to third parties. These guidelines apply uniformly across all EU member states. No national competent authority (NCA) can prohibit AML outsourcing that complies with these guidelines.
AMLD6 Article 25: Obliged entities may use third parties to apply customer due diligence measures. Ultimate responsibility for compliance with the Directive remains with the obliged entity.
EBA/GL/2021/05: Regulated entities may outsource compliance functions, including AML, to third parties provided the arrangement satisfies the governance requirements set out in the guidelines, including documentation, oversight, accountability and EU data residency.
A compliant outsourcing arrangement is not simply a matter of signing a contract with a provider and delegating the work. Regulators require four specific things to be in place before they will treat an outsourced AML function as acceptable.
There must be a formal outsourcing agreement between the regulated entity and the third party. This agreement must define the scope of the outsourced function, the service levels, the audit rights of the regulated entity, and the ability of the NCA to examine the outsourced function directly. A services agreement or statement of work is not sufficient. The NCA needs to be able to inspect the arrangement as part of its review of the regulated entity's AML governance.
Because the outsourced function will involve processing personal data (customer due diligence information), a Data Processing Agreement compliant with GDPR Article 28 must be signed before any data is shared. This DPA must specify the nature of processing, the data categories, the retention terms, the security requirements, and the conditions for subprocessing. EU data residency must be maintained throughout.
The regulated entity's compliance officer (MLRO) must be able to demonstrate active oversight of the outsourced function. This means documented quality assurance procedures, periodic reporting from the outsourced team to the MLRO, evidence of review, and a clear escalation path for material findings. The NCA will look for evidence that oversight is real, not nominal.
The most important condition: ultimate accountability for AML compliance cannot be outsourced. The regulated entity's MLRO remains responsible for the quality and legality of the AML function, regardless of who carries out the day-to-day work. The third party executes under the regulated entity's policies and under the MLRO's oversight. This is the line regulators draw consistently across all EU jurisdictions.
The accountability principle in practice: An NCA examiner will direct all questions about the AML programme to the MLRO of the regulated entity, not to the outsourcing provider. The MLRO must be able to speak to the quality of the outsourced team's output, the oversight arrangements, and the governance framework. The outsourced team's work must be supervisable by the NCA at any time.
The EBA guidelines are the floor. In practice, different NCAs apply them with different emphasis and different levels of scrutiny.
DNB (Netherlands) is among the most thorough in examining outsourcing arrangements. Their examiners will review the outsourcing agreement in detail, request evidence of quality oversight (QA reports, escalation records), confirm EU data residency, and verify that the accountability chain runs cleanly to the named MLRO. DNB does not object to outsourcing in principle but will identify structural weaknesses in governance quickly.
MFSA (Malta) accepts outsourced AML functions as standard practice. Their pre-examination documentation requests typically include the outsourcing agreement, the DPA, and evidence of the oversight framework. Programme documentation quality and the credentials of the team lead are assessed.
Bank of Lithuania has processed a high volume of EMI and PI licence applications involving outsourced AML functions. Their review process is structured around EBA guidelines and they are familiar with the model. Mobilisation speed and analyst credentials are the primary focus at examination.
CySEC (Cyprus) and Central Bank of Ireland both apply EBA/GL/2021/05 as the governing framework. CBI in particular has developed detailed expectations around the independence of the compliance function and the quality of board reporting, even in an outsourced model.
The practical implication is that AML/KYC outsourcing is not a compliance shortcut. It is a compliant operating model for the AML function, subject to the same governance requirements as an in-house function, with the addition of an outsourcing agreement and formal oversight documentation.
Done correctly, it satisfies NCA requirements across all EU jurisdictions. Done incorrectly, such as without a formal agreement, without documented oversight, or without clear accountability to the MLRO, it creates both regulatory and legal exposure.
"Our NCA prohibits it." No EU NCA can prohibit outsourcing that complies with EBA/GL/2021/05. The guidelines apply uniformly across all member states. If a compliance professional has been told their NCA prohibits it, this is either a misreading of the NCA's requirements or a reference to specific conditions that have not been met, not a general prohibition.
"We would lose control of our compliance function." A correctly structured outsourcing arrangement operates under the regulated entity's own AML policies, risk appetite, and MLRO oversight. The outsourced team works inside the regulated entity's systems, follows its procedures, and reports to its MLRO. The accountability structure is the same as for an in-house team; the staffing model is different.
"It is only suitable for smaller firms." Some of the largest EMIs and payment institutions in the EU use outsourced KYC and ODD teams for volume management, inspection preparation, and specialist functions (sanctions, EDD) that complement in-house capacity. Scale does not determine whether outsourcing is appropriate; the nature of the function and the governance framework do.
Scanlex provides EU-based KYC analyst teams and ODD investigators to EMIs, payment institutions, CASPs and fintechs across the EU. All engagements are structured to satisfy EBA/GL/2021/05, with a written outsourcing agreement and GDPR Article 28 DPA as standard. Teams are operational in two weeks.
View KYC / ODD Outsourcing service →For firms that also need compliance officer support alongside an outsourced analyst team, see our Compliance Officer Support service. For independent review of an existing AML programme, see AML Audit and Advisory.
A senior advisor will review your details and come back with an honest assessment of which service fits your situation. No obligation.