The EU’s latest anti-money laundering (AML) package was unveiled in July 2021, consisting of four legislative proposals - a directive and three regulations.
These bold recommendations, which implement the European Commission’s (EC) May 2020 Action Plan, represent the most significant revamp of the EU’s anti-money laundering and counter-terrorist financing legislation to date.
These proposals aim to change four key areas:
- Introducing a single AML rulebook
- New AMLA supervisory authority
- FIU coordination & support mechanism
- New requirements for crypto transfers
The proposals improve the current regime by introducing new rules, updating and refining existing requirements, and introducing a new supervisory approach.
This will be a significant change for financial institutions. It will end EU member states independent approaches to supervision and different expectations regarding directive implementation and control execution.
1. Introducing a single AML rulebook
The most significant change these proposals bring about is the Regulation which could require the creation of a single rulebook on AML/CTF to be shared by all EU countries.
a. Increased scope of obliged entities
The proposed Regulation would mean additional types of companies will fall under the scope of AML/CTF Rules, including investment migration operators, unregulated crowdfunding service providers, and creditors for mortgage and consumer credits and their associated intermediaries.
Additionally, the scope for people who store, trade, or act as intermediaries in the trade of works of art has expanded, as has the scope for crypto-asset firms.
b. Roles & responsibilities
Now a compliance manager must be designated, with specific tasks and responsibilities, including implementing policies, controls, and procedures. The role is also in charge of informing the board of directors about significant flaws.
The Regulation also clarifies the role of a compliance officer by stating that they are in charge of the day-to-day implementation of AML/CTF policies. Many companies currently have these responsibilities divided amongst various individuals and teams, so certain roles and responsibilities may need to be adjusted to address this requirement.
What’s more, compliance functions will now need to have adequate resources, technology and staffing levels. Those in charge of those functions must have the power to establish measures necessary to ensure the effectiveness of controls, policies and procedures.
Companies may also need to prove that these functions are suitably resourced, especially in light of any adverse control effectiveness findings.
c. Customer due diligence
The Regulation lays out in great detail the specific information and documentation that must be obtained as part of the Identification and Verification (ID&V) process for natural persons, legal entities, and trusts.
While companies will already be gathering data and verification documents as part of the onboarding process, they may not be doing so to the extent this Regulation requires, necessitating a gap analysis against procedures.
Companies must now obtain information on the source and destination of funds and the estimated amount and economic rationale of anticipated transactions or activities. With Source of Funds (SOF) being a one-time requirement for relationships with PEPs (politically exposed persons), companies are taking various approaches. Many don’t ask for the destination of funds, estimated amounts, or economic rationale. Companies will need to think about updating policies and procedures, staff AML training and the impact on resourcing and technology systems.
Companies must update customer information at least every five years under a new ongoing monitoring requirement. Some companies have higher review frequencies, while others are pursuing event-driven reviews as an option, in which low-risk customers are reviewed only upon specific triggers rather than regularly. Companies in this situation must ensure that review periods do not exceed the new five-year limit, and any existing trigger-based review methods or technology must be adjusted accordingly.
For occasional transactions, the threshold for applying customer due diligence (CDD) measures has been scaled back from 15,000 EUR to 10,000 EUR, prompting additional CDD requirements for businesses.
d. Enhanced due diligence
The EU’s high-risk third country (HRTC) list currently only includes countries that have “strategic deficiencies.” The commission now has to add to this list by identifying countries with “compliance weaknesses” in their national AML/CTF regimes, as well as countries that “pose a threat to the Union’s financial system.” In both cases, EDD measures must be used.
While any additions to the EU’s HRTC list are likely to have already been identified as high risk by the Financial Action Task Force (FATF) or by firms themselves, they may not currently trigger EDD. This means that businesses may need to prepare for an increase in the number of customers who require automatic EDD, though the extent of the impact won’t be known until the lists are published.
e. Beneficial ownership & control
There has been clarification on “control through ownership interest” and a new definition of “control via other means.” Many member states’ legislation does not define “control” in this manner, so businesses must ensure that existing definitions are updated as needed.
Firms may only outsource CDD-related tasks, according to the Regulation. Given that the definition of CDD includes ongoing monitoring, which includes transaction scrutiny, automated Transaction Monitoring (TM) should be allowed to be outsourced. There are also new bans on activities that “shall not be outsourced under any circumstances.”
Noteworthy bans include identification of criteria for detecting and reporting suspicious activities or transactions, approval of risk assessments and attribution of customer risk profile, and the development and drafting of internal controls, policies and procedures.
The Regulation will require companies to respond to Financial Intelligence Unit (FIU) requests for information, for Suspicious Activity Reports (SAR) or Suspicious Transaction Reports (STR) within five days, and in some instances 24 hours.
This may have significant consequences, especially for large companies filing large numbers of SARs or STRs who may need more resources to meet the deadline.
Companies cannot conduct transactions for a customer until the FIU has received an STR or SAR and any additional FIU instructions have been carried out. This would mean that companies must refrain from carrying out such transactions until the FIU has given them explicit permission.
This new requirement will have to be integrated into existing systems, controls, procedures, and training. Personnel will also need to be instructed on how to deal with customers when transactions must be put on hold while the FIU approves them, without “tipping off” the customer that an investigation is ongoing.
Because member states deviate from current STR or SAR submission rules, the process will become more complicated for companies in certain member states, potentially having a significant impact on existing processes. Nonetheless, the proposals should improve the efficiency of national money-laundering investigations in general.
2. New AMLA supervisory authority
The EU’s proposals effectively set up a new supervisory authority. Known as the anti-money laundering authority (AMLA), it will be at the heart of supervision, working to increase cooperation between regulators in the EU.
After implementing a harmonised AML rulebook for the EU, AMLA will supervise the highest-risk financial institutions with a presence in multiple EU jurisdictions, known as selected obliged entities, through joint teams led by AMLA but including staff from national supervisory authorities.
Select obliged entities will be supervised by AMLA with an EU-wide focus, with the ML or TF risk posed by the entire group rather than by individual entities. While this will increase regulatory scrutiny of these institutions, they may also benefit from working with a single EU supervisory body, potentially lowering compliance costs.
Through AMLA’s coordination of national supervisors and authority to set supervisory standards, all other financial and non-financial institutions subject to the AML rulebook across the EU will be indirectly supervised.
AMLA may order national supervisors to enforce the AML rulebook and intervene directly if the local supervisory regime is not effectively enforcing EU law.
This is expected to increase regulatory focus in areas where local regulators have traditionally been less active.
a. Key tasks and activities
AMLA is anticipated to be in charge of ensuring compliance with AML/CTF regulations for directly supervised obliged entities.
That would also include coordinating with other supervisors to maintain group-wide supervision and creating and maintaining a database on risks and vulnerabilities of obliged entities to aid supervisory activity.
The AMLA’s main responsibilities concerning EU national regulators will be to issue formal opinions and guidance to ensure that the AML rulebook is applied consistently. AMLA will also encourage regulator cooperation and publish thematic reviews of EU-wide ML or TF trends.
Furthermore, AMLA will regularly evaluate the effectiveness of financial and non-financial supervisors by evaluating their strategy, capacity, and resourcing and acting as a supervisor of last resort to uphold EU law.
b. Powers & authority
AMLA will form joint supervisory teams with all relevant national regulators and each obliged entity chosen. It will provide a group-wide, European perspective on ML or TF risk.
The proposal empowers AMLA to issue guidance to investigate identified obliged entities and impose fines for ML or CTF rules violations.
Depending on the nature of the breach, fines of up to €10 million or 10% of annual turnover may be imposed, with additional penalties imposed for each day a breach remains unremedied.
AMLA will be able to acquire relevant information and documentation from FIUs to carry out its responsibilities and issue guidelines and recommendations. AMLA is also expected to provide technical advice to the European parliament, council, and commission on developing standards and subsequent rules.
AMLA can ask a national regulator to probe a non-supervised entity for violating EU law on its behalf. If AMLA is dissatisfied with the financial supervisor’s response, they may operate as if they are the supervisor, including opening an investigation and imposing fines.
Furthermore, financial supervisors must notify AMLA in writing if an entity that’s not directly supervised is exposed to a significant ML or TF risk.
How will AMLA impact companies?
The proposal to create a separate, well-resourced EU supervisor promises to improve the cohesiveness and standard of AML/CTF supervision.
By directly supervising selected high-risk firms and monitoring national supervisors to make sure they are acting according to EU standards and AMLA’s expectations, AMLA will ensure that the new AML rulebook is applied consistently.
Due to the increased supervisory presence and regulatory standards, many businesses will likely need to devote more attention and resources in the near future. Selected obligated entities will also need to consider how contributing supervisory fees to AMLA will affect their budget.
As the unified framework evolves alongside the single unified supervisor, all businesses will need to consider how to Europeanise their compliance functions rather than continue operating in national regulatory silos. In some cases, this may mean that existing national regulatory systems or controls are no longer relevant.
Instead, EU-wide controls may be more transparent to regulators and more efficient to manage for businesses. In other cases, companies may need to consider whether their current risk assessment and control measures are comprehensive across the EU.
3. FIU coordination & support mechanism
The Regulation and supporting Directive establishing AMLA also establish a support and cooperation mechanism for FIUs.
AMLA will establish standardised reporting, assist FIUs with joint SAR analyses, and provide stable hosting of the FIU.net platform as part of their role as a coordination hub.
a. International cooperation between EU FIUs
AMLA will help achieve joint analysis among FIUs and coordinate best-practice exchanges, including sharing expertise in a particular area. Threat assessments and strategic evaluations of ML or TF threats, risks, and methods will be prepared and coordinated.
The Regulation establishes clear guidelines for cooperation in joint analyses and investigations, with FIUs required to provide justifications if they refuse to participate. It could lead to an increase in FIU requests for customer data, so businesses should expect more law enforcement involvement.
As a result of increased cooperation, companies should see a significant increase in cross-border intelligence availability, which will help to strengthen financial crime controls.
b. Standardising suspicious activity reports
AMLA will develop, share, and promote knowledge about suspicious transaction detection, analysis, and dissemination methods. They will be responsible for providing specialised training and support to FIUs and obliged entities and facilitating the interaction between companies and FIUs.
Companies should also expect AMLA to release standardised templates and models for reporting suspicion to improve the speed and efficiency with which FIUs across member states can coordinate cross-border information exchange.
These changes may provide much-needed clarity for businesses regarding FIU expectations. When reporting to multiple law enforcement agencies, increased communication and standardisation will help businesses streamline their operations.
c. Accessing financial intelligence
The Directive mandates that member states keep detailed statistics on the operation of their AML/CTF frameworks, such as the number of reports made to the FIU, follow-ups given to those reports, and the predicate offences identified.
Companies have long complained about receiving insufficient feedback from FIU reports. Improved transparency and reporting on FIU responses could help offer firms much-needed insights into ML or TF risks and typologies.
These changes go a long way toward addressing the challenges of cross-border information exchange, but companies should be aware of the data burden that will inevitably follow. Companies must ensure that any data submitted to FIUs via centralised mechanisms is accurate and high-quality and that data submission processes are well-governed.
4. New requirements for crypto transfers
The EU’s proposals intend to broaden the scope of current wire transfer rules to better align with the FATF’s Recommendation 16 (travel rule) amendments.
a. Data collection
For cryptocurrency transfers, the Regulation stipulates that identifiable data must be held on the originator (e.g. name, address and place and date of birth) and the transfer’s beneficiary (name and account number). The information gathered must be kept for five years.
Before executing the transfer, the originator’s Crypto Asset Service Provider (CASP) must verify the accuracy of the originator’s information using a reliable, independent source. Until this data is acquired, the CASP will be unable to execute any crypto-asset transfers. This requirement aims to ensure that crypto transfers are both effective and fully traceable.
b. CASP of beneficiaries
Before making crypto-assets available to the beneficiary, the Regulation requires the beneficiary’s CASP to verify the accuracy of the beneficiary’s data using a reliable, independent source (for transfers of over EUR 1,000, either single or linked).
For transfer values of less than EUR 1,000, the CASP must verify beneficiary information when payment is made via anonymous electronic money, in cash or where the CASP suspects money laundering or terrorist financing.
c. Missing or incomplete information
If the information outlined above is insufficient or missing, the beneficiary’s CASP will be obliged to make a risk-based decision about whether to execute or reject a crypto-asset transfer.
The beneficiary’s CASP will be obliged to report failures to verify accurate data and the steps taken to do so to AML/CTF authorities.
d. Payment service providers
Payment service providers (PSPs) based in the EU that send or receive cryptocurrencies will be required to collect data on the transaction’s originator and beneficiary and verify that data using independent sources.
When the payer’s service provider receives this data, the payer’s PSPs and IPSPs will be required to include the payer’s and payee’s Legal Entity Identifiers when transferring funds.
How will companies be impacted?
Certain CASP such as custody wallet providers and fiat-to-crypto exchange companies should already have begun to tighten their AML controls in light of 5AMLD’s requirements. Due to the increased regulatory scrutiny, the sector has received, AML controls are likely to be more critical than ever. However, CASPs are encouraged to seize the opportunity to incorporate this into existing AML change programs.
Given that PSPs have been subject to the wire transfer regulations for some time, the new requirement to include payer and payee information on fund transfers should be relatively simple to implement.
Want to learn more about Financial Crime?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.