monitor developments across the internal market and assess threats, vulnerabilities and risks in relation to ML/TF;

monitor developments in third countries and assess threats, vulnerabilities and risks in relation to their AML/CFT systems that have an actual or potential impact on the internal market;

collect and analyse information, from its own supervisory activities and those of the supervisors and supervisory authorities, on weaknesses identified in the application of AML/CFT rules by obliged entities, the risk exposure of obliged entities, the sanctions imposed and the remedial actions taken;

establish a central AML/CFT database of information collected from supervisory authorities or stemming from the Authority’s activities, and keep it up to date;

analyse the information collected in the central database and share those analyses with supervisors, supervisory authorities and non-AML/CFT authorities on a need-to-know and confidential basis;

support the analysis of risks of ML/TF and of non-implementation and evasion of targeted financial sanctions affecting the internal market, referred to in Article 7 of Directive (EU) 2024/1640;

support, facilitate and strengthen cooperation and exchange of information between obliged entities and supervisors, supervisory authorities and non-AML/CFT authorities in order to develop a common understanding of ML/TF risks and threats facing the internal market, including by participating in partnerships for information sharing in the field of AML/CFT;

issue publications and provide training, as well as other services on demand, in order to raise awareness of, and address, ML/TF risks;

report to the Commission any instances where the Authority, in the performance of its tasks, discovers that a Member State has transposed Directive (EU) 2024/1640 incorrectly or incompletely;

undertake any other specific task set out in this Regulation or in the other legislative acts referred to in Article 1(2);

assist the Commission in reviewing the application of the relevant regulatory and implementing technical standards adopted by the Commission, review the application of the guidelines and recommendations issued by the Authority and propose amendments, where appropriate, including amendments to:

ensure compliance of the selected obliged entities with the requirements applicable to them pursuant to Regulation (EU) 2024/1624 and Regulation (EU) 2023/1113, including obligations related to the implementation of targeted financial sanctions;

carry out supervisory reviews and assessments at the level of individual entities and at group-wide level in order to determine whether the internal policies, procedures and controls put in place by the selected obliged entities are adequate to comply with the requirements applicable to them, and on the basis of those supervisory reviews and assessments impose specific requirements, apply administrative measures and impose pecuniary sanctions and periodic penalty payments pursuant to Articles 21, 22 and 23;

participate in group-wide supervision, in particular in AML/CFT supervisory colleges, including where a selected obliged entity is part of a group that has headquarters, subsidiaries or branches outside the Union;

develop and keep up to date a system to assess the risks and vulnerabilities of the selected obliged entities, in order to inform the supervisory activities of the Authority and the supervisory authorities, including through the collection of data from those entities by means of structured questionnaires and other online or offline tools.

maintain an up-to-date list of financial supervisors within the Union;

carry out periodic assessments to ensure that all financial supervisors have adequate resources, powers and strategies necessary for the performance of their tasks in the area of AML/CFT, and make the results of such assessments available;

take, in response to a request by financial supervisors for the Authority to assume direct supervision or on the Authority’s own initiative, appropriate measures in exceptional circumstances requiring the Authority’s intervention and related to non-selected obliged entities’ compliance or risk exposure;

facilitate the functioning of the AML/CFT supervisory colleges in the financial sector;

contribute, in collaboration with financial supervisors, to the convergence of supervisory practices and the promotion of high supervisory standards in the area of AML/CFT, including in relation to verification of compliance with AML/CFT requirements related to targeted financial sanctions;

coordinate staff and information exchanges among financial supervisors in the Union in the area of AML/CFT;

provide assistance, in the area of AML/CFT, to financial supervisors, following their specific requests, including requests to mediate between financial supervisors;

settle, with binding effect, disagreements between financial supervisors concerning the measures to be taken in relation to an obliged entity, including in the context of AML/CFT supervisory colleges, following a specific request as referred to in point (g).

maintain an up-to-date list of non-financial supervisors within the Union;

coordinate peer reviews of supervisory standards and practices in the area of AML/CFT;

in the area of AML/CFT, investigate potential breaches or non-application of Union law by non-financial supervisors and public authorities overseeing self-regulatory bodies, issue recommendations on how to remedy the identified breaches and, where the supervisors or public authorities do not comply with the recommendations, issue warnings identifying the measures to be implemented to mitigate the effects of the breach;

carry out periodic reviews to ensure that all non-financial supervisors have adequate resources and powers necessary for the performance of their tasks in the area of AML/CFT;

contribute to the convergence of supervisory practices and the promotion of high supervisory standards in the area of AML/CFT;

facilitate the functioning of AML/CFT supervisory colleges in the non-financial sector;

provide assistance to non-financial supervisors, following their specific requests, such as requests to mediate between non-financial supervisors in the event of a disagreement on the measures to be taken in relation to an obliged entity, including in the context of AML/CFT supervisory colleges.

maintain an up-to-date list of FIUs within the Union;

monitor changes in the legal framework of FIUs, as well as in their organisation, focusing on resources for the performance of their tasks;

support the work of FIUs and contribute to improved cooperation and coordination between FIUs;

contribute to the identification and the selection of relevant cases for the conduct of joint analyses by FIUs;

develop appropriate methods and procedures for the conduct of joint analyses by FIUs of cross-border cases;

set up, coordinate, organise and facilitate the conduct of joint analyses carried out by FIUs;

provide assistance to FIUs, upon their specific requests, such as requests for mediation in the case of a disagreement between FIUs;

conduct peer reviews of the activities of FIUs aimed at strengthening their consistency and effectiveness and identifying best practices;

develop and make available to FIUs tools and services to enhance their analysis capabilities, as well as IT and artificial intelligence services and tools for secure information sharing, including by hosting FIU.net;

develop, share and promote expert knowledge on detection, analysis, and dissemination methods of suspicious transactions;

at the request of FIUs, provide them with specialised training and assistance, including through the provision of financial support, within the scope of the Authority’s objectives and in accordance with the staffing and budgetary resources at its disposal;

support, at the request of FIUs, their interaction with obliged entities by providing expert knowledge to obliged entities, including improving their awareness and procedures to detect suspicious activities and transactions and their reporting to the FIUs;

prepare and coordinate assessments and strategic analyses of ML/TF threats, risks and methods identified by FIUs.

to require the submission of information or documents, including written or oral explanations, necessary for the performance of its functions, including statistical information and information concerning internal processes or arrangements of national supervisors and supervisory authorities, and to access that information in and extract it from the common structured questionnaires and other online and offline tools developed by the Authority;

to issue guidelines and recommendations;

to issue requests to act and instructions on measures to be taken in relation to non-selected obliged entities pursuant to Chapter II, Section 4;

to carry out mediation upon the request of a financial supervisor or of a non-financial supervisor;

upon the request of financial supervisors, to settle, with binding effect, disagreements between financial supervisors, including in the context of the AML/CFT supervisory colleges.

to request non-operational data and analyses from FIUs, where they are necessary for the assessment of threats, vulnerabilities and risks facing the internal market in relation to ML/TF;

to collect information and statistics in relation to the tasks and activities of FIUs;

to obtain and process information and data required for initiating, conducting and coordinating joint analyses as specified in Article 40;

to issue guidelines and recommendations.

to develop draft regulatory technical standards in accordance with Article 49;

to develop draft implementing technical standards in accordance with Article 53;

to issue guidelines and recommendations, as provided for in Article 54;

to provide opinions to the European Parliament, to the Council and to the Commission, as provided for in Article 55.

benchmarks and a methodology for classification of obliged entities into risk categories on the basis of their residual risk profile, separately for each category of obliged entities;

approaches to supervisory review of ML/TF risk self-assessments of obliged entities;

approaches to supervisory review of obliged entities’ internal policies and procedures, including their customer due diligence policies and procedures, in line with a risk-based approach to the prevention of ML/TF;

approaches to supervisory evaluation of risk factors inherent in, or related to, customers, business relationships, transactions and delivery channels of obliged entities, as well as geographical risk factors.

the scope of each planned thematic review in terms of category and number of obliged entities included and the subject matter of the review;

the timeframe of each planned thematic review;

the planned types, nature and frequency of supervisory activities to be performed in relation to each thematic review, including any on-site inspections or other types of direct interaction with obliged entities, where applicable.

new practical instruments and convergence tools to promote common supervisory approaches and best practices;

practical tools and methods for mutual assistance following:

sectoral and cross-sectoral training programmes, including with respect to technological innovation;

exchanges of staff and the use of secondment schemes, twinning and short-term visits;

exchanges of supervisory best practices between supervisory authorities where one authority has developed expertise in a specific area of AML/CFT supervisory practices.

a list of all supervisory authorities and self-regulatory bodies in their Member State entrusted with the supervision of obliged entities, including information about their mandate, tasks and powers and, where applicable, the identification of the leading supervisor or coordination mechanism;

statistical information about the categories and the number of supervised obliged entities per category in their Member State and basic information about the risk profile of those entities;

the administrative measures applied and pecuniary sanctions imposed in the course of supervision of individual obliged entities in response to breaches of AML/CFT requirements, accompanied by:

any advice or opinion related to ML/TF risks provided to other authorities in relation to authorisation procedures, withdrawal of authorisation procedures, and ‘fit and proper’ assessments of shareholders or members of the management body of individual obliged entities;

the outcomes of their assessments of the inherent and residual risk profiles of all credit institutions and financial institutions that meet the criteria set out in Article 12(1);

the outcomes and reports of thematic reviews and other horizontal supervisory actions with regard to high-risk areas or activities;

information regarding the supervisory activities they performed over the past calendar year, gathered pursuant to Article 40(5) of Directive (EU) 2024/1640;

statistical information about staffing and other resources of supervisors and supervisory authorities.

the procedure, formats and timelines for the transmission of information pursuant to paragraphs 2 and 3;

the scope and level of detail of the information to be transmitted, taking into account relevant distinctions between obliged entities, such as their risk profile;

the scope and level of detail of the information to be transmitted in relation to obliged entities in the non-financial sector;

the type of information the disclosure of which by the Authority, pursuant to a reasoned request or at its own initiative, requires the prior consent of the supervisory authority that originated it;

which level of materiality a breach needs to have in order for a supervisory authority to be obliged to transmit information on the breach pursuant to paragraph 2, point (c);

the conditions under which the Authority may request additional information pursuant to paragraph 3;

the types of additional information to be transmitted to the Authority pursuant to paragraph 3.

credit institutions;

bureaux de change;

collective investment undertakings;

credit providers other than credit institutions;

e-money institutions;

investment firms;

payment institutions;

life insurance undertakings;

life insurance intermediaries;

crypto-asset service providers;

other financial institutions.

with respect to customer-related risk: the share of non-resident customers from third countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624 and the presence and share of customers identified as politically exposed persons;

with respect to products and services offered:

with respect to geographical areas:

the minimum activities to be carried out by a credit institution or a financial institution under the freedom to provide services, whether through infrastructure or remotely, for it to be considered as operating in a Member State other than that where it is established;

the methodology based on the benchmarks referred to in paragraphs 5 and 6 for classifying the inherent and residual risk profiles of credit institutions or financial institutions, or groups of credit institutions or financial institutions, as low, medium, substantial or high.

identify the non-selected obliged entity in respect of which the financial supervisor is of the view that the Authority should assume direct supervision;

state the reasons for which AML/CFT direct supervision of the non-selected obliged entity is necessary;

identify and duly justify the proposed transfer date and the period for which the transfer of the tasks and powers is requested; and

provide all necessary supporting information, data and evidence that could be useful for the assessment of the request.

the requesting supervisor can demonstrate the inefficacy of supervisory measures imposed on the non-selected obliged entity in relation to serious, repeated or systematic breaches of applicable requirements;

the heightened ML/TF risk or the serious, repeated or systematic breaches of applicable requirements affect several entities within a non-selected obliged entity group, and the relevant financial supervisors agree that coordinated supervisory action at Union level would be more effective to address them;

the request concerns a temporary, objective and demonstrable lack of capacity at the level of the financial supervisor to adequately and timely address the ML/TF risk of a non-selected obliged entity.

the conditions under which financial supervisors are to assist the Authority pursuant to paragraph 2;

the process of periodic assessment referred to in Article 12(1), including the roles of the supervisory authorities and the Authority in assessing the risk profile of credit institutions and financial institutions referred to in that paragraph;

the working arrangements for the transfer of supervisory tasks and powers to the Authority or from the Authority to national level following a selection process, including arrangements on the continuity of pending supervisory procedures or investigations;

the procedures for the preparation and adoption of decisions on the selection of obliged entities;

the detailed rules and arrangements for the composition and functioning of the joint supervisory teams referred to in Article 16(1) and (2).

performing the supervisory reviews and assessments of the selected obliged entities;

coordinating on-site inspections of selected obliged entities and preparing supervisory measures where necessary;

participating in the preparation of draft decisions applicable to the respective selected obliged entity to be proposed to the General Board and Executive Board, taking into account the reviews, assessments and on-site inspections referred to in points (a) and (b);

liaising with financial supervisors where that is necessary to exercise supervisory tasks in any Member State where a selected obliged entity is established.

the selected obliged entity is found to be in breach of the Union acts and national legislation referred to in Article 1(2);

the Authority has sufficient and demonstrable indications that the selected obliged entity is likely to breach the Union acts and national legislation referred to in Article 1(2) and the application of an administrative measure can prevent the occurrence of the breach or reduce the risk thereof;

based on a duly justified determination by the Authority, the internal policies, procedures and controls in place in the selected obliged entity are not commensurate to the risks of money laundering, its predicate offences or terrorist financing to which the selected obliged entity is exposed.

issue recommendations;

order obliged entities to comply, including to implement specific corrective measures;

issue a public statement which identifies the natural or legal person and the nature of the breach;

issue an order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;

restrict or limit the business, operations or network of institutions comprising the selected obliged entity, or require the divestment of activities;

require changes in the governance structure;

where a selected obliged entity is subject to authorisation, propose the withdrawal or suspension of that authorisation to the authority that has granted it; where the authority which has granted that authorisation does not follow the Authority’s proposal to suspend or withdraw, the Authority shall request it to provide the reasons thereof in writing.

require the provision of any data or information necessary for the fulfilment of tasks listed in Article 5(2) without undue delay, require the submission of any document, or impose additional or more frequent reporting requirements;

require the reinforcement of the internal policies, procedures and controls;

require the application of a specific policy or requirements relating to categories of, or individual, clients, transactions, activities or delivery channels that pose high ML/TF risks;

require the implementation of measures to decrease the ML/TF risks in the activities and products of selected obliged entities;

temporarily ban any person exercising managerial responsibilities in the selected obliged entity, or any other natural person held responsible for the breach, from exercising managerial functions in obliged entities.

for serious, repeated or systematic breaches of one or more requirements related to customer due diligence, group-wide policies, procedures and controls or reporting obligations that have been identified in two or more Member States where a selected obliged entity operates, the amount shall be at least EUR 500 000 and shall not exceed EUR 2 000 000 or 1 % of the annual turnover, whichever is higher;

for serious, repeated or systematic breaches of one or more requirements related to customer due diligence, internal policies, procedures and controls or reporting obligations that have been identified in one Member State where a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed EUR 1 000 000 or 0,5  % of the annual turnover, whichever is higher;

for serious, repeated or systematic breaches of all other requirements that have been identified in two or more Member States where a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed EUR 2 000 000 ;

for serious, repeated or systematic breaches of all other requirements that have been identified in one Member State where a selected obliged entity operates, the amount shall be at least EUR 100 000 and shall not exceed EUR 1 000 000 ;

for serious, repeated or systematic breaches of the decisions of the Authority referred to in Article 6(1), the amount shall be at least EUR 100 000 and shall not exceed EUR 1 000 000 .

a selected obliged entity to put an end to a breach, where it fails to comply with an administrative measure applied pursuant to Article 21(2), point (b), (d), (e) or (f), and Article 21(3);

a person referred to in Article 17(1) to supply complete information which has been required by a decision pursuant to Article 6(1);

a person referred to in Article 17(1) to submit to an investigation and in particular to produce complete records, data, procedures or any other material required and to complete and correct other information provided in an investigation launched pursuant to Article 18.

delay the publication of the decision until the moment when the reasons for not publishing it cease to exist;

publish the decision on an anonymous basis, if such anonymous publication ensures the effective protection of the personal data of the persons responsible; in that case, the Authority shall postpone the publication of the relevant data for a reasonable period if it is foreseen that within that period the reasons for anonymous publication shall cease to exist;

not publish the decision at all in the event that the options set out in points (a) and (b) are considered insufficient to ensure:

establish a college, where such a college has not yet been established even though the conditions for its establishment set out in Article 49 of Directive (EU) 2024/1640 are met, and convene and organise meetings of colleges;

assist in the organisation of college meetings, where requested by the relevant financial supervisors;

assist in the organisation of joint supervisory plans and joint on-site inspections or off-site investigations;

collect and share all relevant information in cooperation with the financial supervisors in order to facilitate the work of the college and make such information accessible to the authorities of the college;

promote effective and efficient supervisory activities and practices, including evaluating the risks to which non-selected obliged entities are or might be exposed;

oversee, in accordance with the tasks and powers specified in this Regulation, the tasks carried out by the financial supervisors.

investigate such indications, which could concern breaches of Union law or, where such Union law is composed of directives or expressly grants options for Member States, breaches of national law to the extent that that national law transposes directives or exercises options granted to Member States by Union law; and

consider imposing sanctions on that entity in respect of such breaches in accordance with directly applicable Union law or national law transposing directives.

following notifications by financial supervisors pursuant to paragraph 1;

as a result of the Authority’s own collection of well-substantiated information; or

upon receipt of information from Union institutions, bodies, offices or agencies, or from any other reliable and credible information source.

a description of the serious, repeated or systematic breaches of the directly applicable requirements by the non-selected obliged entity and an explanation of why such breaches fall within the scope of competence of the Authority, pursuant to paragraphs 2 and 3;

an explanation of why the request to the financial supervisor referred to in paragraph 2 did not result in any action being taken within the time limit set in paragraph 4, including, where relevant, the information that no reply was submitted by the financial supervisor;

a proposed length of time of a maximum of three years, during which the Authority will exercise the relevant tasks and powers in relation to the non-selected obliged entity concerned;

a description of the measures that the Authority intends to take in relation to the non-selected obliged entity concerned upon the transfer of the relevant tasks and powers to address the serious, repeated or systematic breaches referred to in paragraph 2;

any relevant communication between the Authority and the financial supervisor concerned.

the agreement has been reached but has not been effectively applied or adhered to by one of the parties;

a financial supervisor concludes, on the basis of objective reasons, that a disagreement exists;

two months have elapsed from the date of receipt by a financial supervisor of a request from another financial supervisor to take certain action in order to comply with the legislative acts referred to in Article 1(2) of this Regulation and the requested supervisor has not adopted a decision that satisfies the request.

the adequacy of powers and of financial, human and technical resources, the degree of independence and the governance arrangements and professional standards of the non-financial supervisor to ensure the effective application of Chapter IV of Directive (EU) 2024/1640;

the effectiveness and the degree of convergence reached in the application of Union law and in supervisory practice, and the extent to which the supervisory practice achieves the objectives set out in Union law;

the application of best practices developed by non-financial supervisors whose adoption might be of benefit for other non-financial supervisors;

the effectiveness and the degree of convergence reached with regard to the enforcement of the provisions adopted in the implementation of Union law, including the pecuniary sanctions imposed and administrative measures applied against persons responsible where those provisions have not been complied with.

suggest the establishment of a college where no such college has been established even though the Authority considers that the ML/TF risk exposure of the obliged entity and the scale of its cross-border activities justify the establishment of a college, and the convocation and organisation of college meetings;

assist in the organisation of college meetings and in the assessment of whether the conditions for the participation of third-country supervisors in the college are met, where requested by the relevant non-financial supervisors;

assist in the organisation of joint supervisory plans and joint on-site inspections or off-site investigations;

assist the non-financial supervisors in the collection and sharing of all relevant information in order to facilitate the work of the college and make such information accessible to the supervisors in the college;

promote effective and efficient supervisory activities and practices, including evaluating the risks to which obliged entities in the non-financial sector are or might be exposed;

provide assistance to non-financial supervisors, upon their specific requests, including requests to mediate between non-financial supervisors in the situations covered by Article 50(2) and (3) of Directive (EU) 2024/1640.

the agreement has been reached but has not been effectively applied or adhered to by one of the parties,

a non-financial supervisor concludes on the basis of objective reasons that a disagreement exists;

two months have elapsed from the date of receipt by a non-financial supervisor of a request from another non-financial supervisor to take certain action in order to comply with the legislative acts referred to in Article 1(2) of this Regulation and the requested supervisor has not adopted a decision that satisfies the request.

training programmes, including with respect to technological innovation;

personnel exchanges and secondment schemes, including secondment of FIU staff from a Member State to the Authority;

exchanges of practices between FIUs, including sharing expertise in a specific area;

development or procurement of IT tools and services to enhance the analysis capabilities of FIUs.

implement appropriate technical and organisational measures to ensure a level of security that protects personal data;

plan, coordinate, manage and support any testing activities;

ensure adequate financial resources;

provide training on the technical use of FIU.net by end-users.

the adequacy of the FIU’s resources, including human and technical and IT resources, to perform its functions;

the measures implemented to ensure that the FIU has operational independence and autonomy and is not subject to undue influence;

the measures that the FIU has put in place to protect the security and confidentiality of information;

the FIU’s function to receive suspicious transaction reports and other disclosures, including the number and nature of disclosures received and their quality;

the measures that the FIU has put in place to enhance the reporting of suspicious transactions by obliged entities, in particular in relation to their quality;

the FIU’s access to and use of additional information to enrich its analysis;

the tools used by the FIU to carry out an analysis;

the extent to which the FIU’s analysis and dissemination support the operational needs of authorities competent for the investigation and prosecution of money laundering, its predicate offences and terrorist financing;

domestic cooperation between the FIU and other competent authorities;

cross-border cooperation between the FIU and FIUs from other Member States.

the Chair of the Authority, with the right to vote;

the heads of the supervisory authorities of obliged entities in each Member State, with the right to vote;

one representative of the Commission, without the right to vote.

the Chair of the Authority, with the right to vote;

the heads of FIUs, with the right to vote;

one representative of the Commission, without the right to vote.

the Chair of the Authority;

five full-time members, including the Vice-Chair.

a selected obliged entity;

any other entity, where doing so would or could lead to a conflict with the legitimate interests of the Authority.

adopt, by 30 November of each year, on the basis of a proposal by the Executive Director, the draft single programming document in accordance with Article 65, and transmit it, for information to the European Parliament, the Council and the Commission by 31 January of the following year, as well as adopt and transmit any other updated version of the document;

adopt the draft annual budget of the Authority and exercise other functions in respect of the Authority’s budget;

assess and adopt a consolidated annual report on the Authority’s activities, including an overview of the fulfilment of its tasks, transmit it, by 1 July of each year, to the European Parliament, the Council, the Commission and the Court of Auditors, and make it public;

adopt an anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the measures to be implemented;

adopt rules for the prevention and management of conflicts of interest in respect of its members, as well as the members of the Administrative Board of Review;

adopt its rules of procedure;

exercise, with respect to the staff of the Authority, the appointing authority powers;

adopt appropriate implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110(2) of the Staff Regulations;

appoint the Executive Director and remove him or her from office in accordance with Article 70(5);

appoint an accounting officer, who may be the Commission’s accounting officer, subject to the Staff Regulations and the Conditions of Employment of Other Servants, who shall be fully independent in the performance of his or her duties;

ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and evaluations, as well as from investigations of OLAF;

adopt the financial rules applicable to the Authority;

take all decisions on the establishment of the Authority’s internal structures and, where necessary, on their modification.

advise the staff of the Authority on any activity carried out by the Authority, where the Officer deems it necessary or where requested by the staff without impeding or delaying those activities;

promote and monitor the Authority’s compliance with fundamental rights;

provide non-binding opinions on the compliance of the Authority’s activities with fundamental rights;

inform the Executive Director and the Executive Board about possible violations of fundamental rights in the course of the Authority’s activities.

implementing decisions adopted by the Executive Board;

preparing the draft single programming document and submitting it to the Executive Board after consulting the Commission;

implementing the single programming document and reporting to the Executive Board on its implementation;

preparing the draft consolidated annual report on the Authority’s activities and presenting it to the Executive Board for assessment and adoption;

preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as investigations by OLAF, and regularly reporting on progress to the Commission, the General Board and the Executive Board;

protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities, without prejudicing the investigative competence of OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and dissuasive administrative penalties, including financial penalties;

preparing an anti-fraud strategy for the Authority and presenting it to the Executive Board for approval;

preparing draft financial rules applicable to the Authority;

preparing, as part of the draft single programming document, the Authority’s draft statement of estimates of revenue and expenditure pursuant to Article 78 and implementing its budget pursuant to Article 79;

preparing and implementing an IT security strategy, ensuring appropriate risk management for all IT infrastructure, systems and services, which are developed or procured by the Authority as well as sufficient IT security funding;

implementing the annual work programme of the Authority under the control of the Executive Board;

preparing a draft report describing all activities of the Authority, with a section on financial and administrative matters.

Regulation (EU) 2024/1624, insofar as the requirements applicable to credit institutions and financial institutions are concerned;

Regulation (EU) 2023/1113;

Directive (EU) 2024/1640, insofar as the requirements applicable to supervisory authorities, self-regulatory bodies in the exercise of supervisory functions and FIUs are concerned.

the information has been anonymised in such a manner that it no longer relates to any identified or identifiable natural person and that the obliged entity or other legal entities are no longer identifiable; or

the information has been modified, aggregated or treated by any other method of disclosure control to protect confidential information, including trade secrets, and to protect personal data through appropriate technical and organisational measures in accordance with Regulations (EU) 2016/679 and (EU) 2018/1725.

the necessary measures have been taken to anonymise the information, in a manner that prevents individual obliged entities, data subjects, and, where it is the Authority which grants access to the information, Member States from being identified;

the information has been modified, aggregated or treated by any other method of disclosure control to protect confidential information, including trade secrets or content covered by intellectual property rights;

the European Systemic Risk Board, as established by Regulation (EU) No 1092/2010 of the European Parliament and of the Council ( 20 );

the EBA;

the EIOPA;

the ESMA;

competent authorities, as defined in Article 4, point (2), of Regulation (EU) No 1093/2010;

competent authorities, as defined in Article 4, point (2), of Regulation (EU) No 1094/2010;

competent authorities, as defined in Article 4, point (3), of Regulation (EU) No 1095/2010;

the authorities composing the Single supervisory mechanism, as defined in Article 2, point (9), of Regulation (EU) No 1024/2013;

the Single Resolution Board, as established by Regulation (EU) No 806/2014 of the European Parliament and of the Council ( 21 );

resolution authorities, such as those referred to in Article 3(3) of Directive 2014/59/EU.