Matt Taylor, a Managing Director in the Risk and Compliance wing of Protiviti, reflects on the impact of the Fifth EU AML Directive (5AMLD) and provides tips how organisations can best prepare for the new regulation.
Following the approval of the Fourth European Union (EU) Anti-Money Laundering (AML) Directive (4AMLD) in 2015, the “obliged entities” in scope have been subject to an ever-changing regulatory landscape as further amendments to 4AMLD were proposed in 2016.
Because of the release of the Panama Papers, a range of terror attacks in Europe and the EU Parliament’s desire to align with theFinancial Action Task Force (FATF) AML recommendations, the approval for amendments to 4AMLD are still underway. Additional parliamentary meetings and various counterproposals have contributed to further discussion and revision of the 4AMLD amendments, in an effort to adapt to new and emerging threats facing the existing AML framework. The proposed amendments to 4AMLD are now being addressed in what is referred to as the 5AMLD (or “Compromise Text”) and remain under review.
As it stands, the agreed-on 4AMLD text and the transposition date of June 26, 2017, will remain, but financial institutions should anticipate further regulatory change to come from the adoption of the 5AMLD. The directive will enter into force three days following its publication in the Official Journal of the European Union and must be transposed within six months of the same publication. It is anticipated that the EU Parliament’s adoption of the amendments will occur in June 2017.
The 5AMLD proposes five main requirements that impact financial institutions:
1) Extending the Directive Scope to include Virtual Currencies
The 4AMLD has defined “obliged entities” as financial institutions, accountants, tax advisors, lawyers, trust providers and estate/letting agents with whom the trustees form a business relationship.
The 5AMLD has further broadened the scope of obliged entities to include virtual currencies, anonymous prepaid cards and other, digital currencies such as bitcoin exchanges and wallet services to the list of activities carrying the risk of money laundering and terrorist financing (ML/TF). The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states.
Under the proposed 5AMLD, providers engaged in exchange services between virtual and fiat currencies and custodian wallet providers will be required to conduct ongoing monitoring of relationships and report suspicious activity to government entities. While regulators may not be focused on such currencies at present, increased scrutiny is expected on these operations and the structures of such firms. Discussions have begun on developing a central database for registering users’ identities and wallet addresses, in addition to potential self-declaration forms for virtual currency users. This suggests that future implications and obligations may become even more far-reaching, as transparency and anonymity become a focus for these payment technologies.
How to Prepare
Virtual currency exchanges and wallet providers will need to become accustomed to the new regulatory framework set out in the directive to identify and mitigate ML/TF risks posed by virtual currency payment products and services. Providers of exchange services in virtual and fiat currencies must develop and implement policies and effective mechanisms to combat ML/TF risks in preparation for compliance with 5AMLD requirements.
Separately, the 4AMLD requires currency exchange and cheque cashing offices, and trust or company service providers to be licenced or registered, and providers of gambling services to be regulated. The 5AMLD underscores the same requirements, and goes further to require EU Member States to ensure providers of exchange services between virtual currencies, fiat currencies and custodian wallet providers are registered.
2) Addressing the Issue of Anonymity in Relation to Prepaid Cards
The proposed updates in 5AMLD related to use of prepaid cards aim to address the issue of anonymity associated with such payment mechanisms. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds €50. After 36 months from 5AMLD being entered into force, identification shall be applied to all remote payment transactions.
In the event that a risk assessment classifies a customer as low risk, member states may allow obliged entities to be exempt from certain customer due diligence measures with respect to electronic money where a number of risk-mitigating conditions are met. Such conditions include, but are not limited to:
Maximum stored electronically amount is €150 (in the 4AMLD this threshold was set at €250)
Payment instrument is not reloadable and has a monthly maximum payment transaction limit of €150 (for use only in that member state)
Sole use of the payment instrument is for the purchase goods or services
Must not be funded with anonymous electronic money.
In addition, a provision has been made for anonymous prepaid cards issued outside the EU in third countries. The 5AMLD outlines new requirements for member states to restrict the use of prepaid cards issued by third countries only to those third countries deemed to be sufficiently compliant with requirements set out in current EU AML legislation.
How to Prepare
Obliged entities will be required to perform checks on prepaid card transactions in accordance with the revised thresholds, and they will need to be able to first identity, and then refuse, payments made with anonymous prepaid cards from countries deemed to have insufficient AML standards. Systems and controls should be tested to ensure that thresholds can be adjusted to meet the requirements of the 4AMLD and the 5AMLD as required. An operational impact assessment should be completed to create or revise existing procedures, resources, governance, system requirements, etc., to meet these proposed obligations.
3) Beneficial Ownership Registers
A key change adopted through the 4AMLD was the requirement for beneficial ownership registers, whereby member states will be required to obtain and hold adequate, accurate and current information on corporate and other legal entities, including trusts and similar legal arrangements, incorporated or administered within their respective member state.
The 5AMLD further clarifies requirements and timing for the implementation of such registers. Member states must be compliant with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European central platform within 18 months of its implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC.
Public access will be granted for those individuals or organisations that demonstrate a legitimate interest in the beneficial ownership information. EU member states may choose to broaden access in their national laws (e.g. public access for transparency); however, access to register information must be granted within 18 months of implementation.
How to Prepare
Obliged entities should assess the information available in know your customer (KYC) records and begin the information-gathering processes to mitigate any gaps in the beneficial ownership data.
Where there may be gaps or new requirements to obtain beneficial ownership information, KYC periodic reviews should be used as an opportunity to obtain or confirm existing beneficial ownership information so the necessary information is available when it must be transferred into relevant beneficial ownership registers.
A formalised process to obtain, record and update the beneficial ownership information required for the register should be developed. Technical requirements, including access controls and operational challenges should also be considered and tested in preparation for compliance with 5AMLD requirements.
4) Enhancing cooperation and information sharing among EU financial intelligence units (FIUs)
In order to enhance and simplify access to information on the identity of holders of bank and payment accounts, the 5AMLD requires member states to put centralised automated mechanisms in place at the national level to identify payment accounts and bank accounts held by a credit institution, thereby developing a central source to identify all bank accounts for an individual person. Note that the 5AMLD leaves it up to each member state to ascertain and develop a central registry or data retrieval systems to comply. The proposed 5AMLD defines certain information that must be searchable and accessible in a timely manner through such registries, which includes, but is not limited to, the following:
Account holder: name and unique identification number, or other identification data deemed acceptable under national provisions per Article 13
Beneficial owner: name and unique identification number, or other identification data deemed acceptable under national provisions per Article 13
Bank or payment account: IBAN number and account open and close dates, as applicable.
Under the 5AMLD, member states may consider requiring other information deemed essential for FIUs and competent authorities to fulfil their obligations under this directive to be accessible and searchable through the centralised mechanisms. Currently, limitations exist in certain member states, requiring the submission of a suspicious transaction report or identification of a predicate offence to be made prior to any request for information. The 5AMLD further enhances the powers of the EU FIUs, as they will be permitted to request information from any obliged entity. The proposed amendments in 5AMLD aim to extend the scope for FIUs to make information more easily accessible and align the approach for FIUs with international standards and best practices.
How to Prepare
As member state FIUs will be permitted to request information from any obliged entity, financial institutions should ensure that effective mechanisms are in place to coordinate information internally and enables timely responses to requests from FIUs. In the handling of these information requests, resources may need to be trained on the applicable data privacy laws, utilisation of beneficial ownership and bank account data in the central registers and new processes to provide information to FIUs.
5) Developing a Consistent EU Approach Toward High-Risk Third Countries
The 5AMLD will require member states to apply a specific list of enhanced due diligence (EDD) measures for transactions involving entities on a list of high-risk third countries defined by the European Commission. This proposal outlines the minimum EDD measures obliged entities must apply, which will provide for a formalised approach and alignment of such EDD measures with the list of actions drawn up by the FATF. This will ultimately lessen differences in regulatory requirements between member states, minimising cases where a select number of EU countries commercially benefit relative to others adopting more stringent EDD requirements. Critically, this aims to reduce the ability of terrorists to exploit weaknesses in these measures.
How to Prepare
Obliged entities should review and prepare to adopt the EU list of money laundering high-risk third countries into existing KYC processes. Risk rating methodologies may require updating and may necessitate assessment and modification of KYC systems and procedures, to fully address the EDD requirements set out in the 5AMLD for all transactions involving high-risk third countries.
The amendments proposed in the 5AMLD are set out with an overarching goal towards a consistent and harmonised approach across EU member states in mitigating ML and TF within the financial system. Simultaneously, the proposed amendments will further align the EU’s AML and CTF laws to the FATF AML recommendations, emphasising a move towards a more global approach to tackling financial crime.
It is evident from the ongoing revisions and various iterations of the amendments that the 5AMLD has proved to be more controversial than the 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralised registers.
The 5AMLD is under review for any further counterproposal or approval between the EU Parliament and the European Council. Discussions were scheduled for January 25, 2017, but have since been postponed to June 2017. Given the impending transposition date of June 26, 2017, for 4AMLD requirements to be adopted into national law, obliged entities should be poised to implement the requirements proposed in the 5AMLD, as the window between approval, publication into the Official Journal of the European Union, and transposition of 5AMLD, is a rather ambitious and short six months.