European Parliament and Council Formally Approve Fifth Update to AML Directive
On May 14, after nearly two years of negotiations and counterproposals, the European Parliament and Council adopted the fifth and latest update to the European Union’s Anti-Money Laundering Directive (5AMLD). Parliament and the member states reached an initial agreement on the amendments in the 5AMLD in December 2017.
The directive will be sent for publication in the Official Journal of the European Union and will enter into force 20 days after publication of the final text in the Journal. Member states will then have up to 18 months to transpose the new 5AMLD requirements into national legislation.
In an effort to adapt to a broad range of emerging threats facing the EU AML framework (e.g., recent terrorist attacks and issues emerging from the disclosure of the Panama Papers), the 5AMLD aims to improve the existing preventative AML framework while increasing transparency of financial transactions and ownership. The directive also underscores the need for the measures defined therein to be proportionate to the money laundering and terrorist financing (ML/TF) risk posed.
Scope of the 5AMLD
The new legislation requires that all banks and other businesses handling financial transactions within the EU (“obliged entities”) adhere to the requirements set out in the 5AMLD, increasing the responsibility of financial entities to undertake customer due diligence and report suspicious activity to respective authorities.
In addition to the legal entities and persons already subject to the Fourth EU Anti-Money Laundering Directive (4AMLD), the 5AMLD expands the definition of “obliged entities” to include other professional businesses, including auction houses, art dealers, estate agents, digital wallet providers and virtual currency exchange services.
- Extension of Scope to Include Virtual Currencies
The 5AMLD has further broadened the scope of obliged entities that fall under the scope of the directive to include all entities and persons engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers. The 5AMLD clarifies the definitions of “virtual currencies” and “custodian wallet provider” under EU law and includes the requirement to adopt these legal definitions in AML legislation across all member states.
The 5AMLD emphasises a balanced but proportional approach to safeguarding technical advances while allowing competent authorities to monitor the use of virtual currencies through the defined measures required by obliged entities. In order to mitigate the risks related to the anonymity of virtual currencies and potential misuse for criminal purposes, national financial intelligence units (FIUs) are expected to obtain or must be provided information that enables them to associate virtual currency addresses to the identity of the owner of virtual currencies. Allowing users to voluntarily self-declare to designated authorities is still being considered and may be addressed in future regulations.
How to Prepare
Virtual currency exchange platforms will need to adopt the new regulatory framework set out in the directive to identify and mitigate ML/TF risks posed by virtual currency payment products and services. Providers of exchange services in virtual and fiat currencies will be obliged to develop and implement policies and effective mechanisms to apply customer due diligence controls, meet the customer identity verification requirements defined in the directive, and effectively monitor and report suspicious activity to relevant authorities.
The 5AMLD will now require EU member states to ensure that providers of exchange services between virtual currencies, fiat currencies and custodian wallet providers are registered.
- Lowered Threshold for Identifying Prepaid Cardholders
The updated requirements in the 5AMLD also aim to address the issue of anonymity associated with the use of prepaid cards, as they have been used as instruments to finance recent terrorist attacks. In an effort to do so, financial institutions will now be required to identify holders of prepaid cards valued at 150 euros or more (a reduction from the current threshold of 250 euros) and all customers of remote payment transactions exceeding 50 euros.
Further, the directive requires that transactions with anonymous prepaid cards that have been issued outside of the EU be restricted to only those issued by countries deemed to be sufficiently compliant with requirements set out in the current EU AML Directive framework.
Member states will have the option to decline payments via anonymous prepaid cards in their territory altogether through adoption of such measures in their national law.
How to Prepare
Transaction systems and controls should be tested to ensure that thresholds for prepaid card transaction amounts can be adjusted to meet the revised requirements, and they will need to be able to first identify, and then refuse, payments made with anonymous prepaid cards issued by territories deemed to have insufficient AML standards. An operational impact assessment should be completed to create or revise existing procedures, resources, governance, system requirements, etc., to meet these revised obligations and adhere to the identification requirements at the reduced thresholds.
- Beneficial Ownership Registers
A key change adopted through the 4AMLD was the requirement for beneficial ownership registers to be established in each member state. As such, member states are required to obtain and hold adequate, accurate and current information on corporate and other legal entities, including trusts and similar legal arrangements, incorporated or administered within their respective jurisdictions. The 5AMLD goes further to stipulate a requirement that each member state put verification mechanisms in place to enhance the accuracy of the information and reliability of such beneficial ownership registers for corporate and other legal entities incorporated within its territory.
Further updates to the timeline for implementation of the registers, access rights and technical specifications have now been defined in the 5AMLD as follows:
Implementation timelines: The deadline for introducing central beneficial ownership registers for companies will be 18 months after the date of entry into force of the 5AMLD and 20 months after the date of entry into force for trusts.
The European Commission will need to ensure interconnection of the member state registers with the European Central Platform within 32 months after entry into force.
Access: Beneficial ownership registers for firms operating in the EU will be accessible to the public.
Access to beneficial ownership information for trusts and similar legal arrangements will be granted to any person that can demonstrate a “legitimate interest” to information governed by the member state where the trust is established. The definition of “legitimate interest” will be defined by each member state, which also has the option through its national law to provide broader access to information for increased transparency.
Technical specifications: Member states’ central registers are required to be implemented in accordance with the technical specifications defined within the 5AMLD and Article 24 of Directive (EU) 2017/1132.
How to Prepare
Obliged entities should assess member state expectations for submission of any beneficial ownership information into the central registers and formalise a process to obtain, record and update the beneficial ownership information for the registers, as required.
Information available in Know Your Customer (KYC) records should be reviewed for completeness, and information-gathering exercises should be developed to mitigate any gaps in the beneficial ownership data. Where there may be gaps or new requirements to obtain beneficial ownership information, KYC periodic reviews should be used as an opportunity to obtain or confirm existing beneficial ownership information so the necessary information is available when it must be transferred into relevant beneficial ownership registers.
Obliged entities should also consider how the information made available in the beneficial ownership registers may be used to assist in AML investigations and for detecting links to predicate offenses and terrorist financing.
Technical requirements, including access controls, data privacy and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
- Enhanced Cooperation and Information Sharing Among EU Financial Intelligence Units and Supervisory Authorities
In order to enhance and simplify access to information on the identity of accountholders, the 5AMLD requires member states to set up centralised bank account registers or retrieval systems to identify holders of bank and payment accounts and safe deposit boxes, as well as their proxy owners and beneficial owners.
The information must be searchable and directly accessible by FIUs in an immediate and unfiltered manner and includes, but is not limited to, the following:
- Account holder: Name and other identification data deemed acceptable under national provisions, or a unique identification number.
- Beneficial owner: Name and other identification data deemed acceptable under national provisions, or a unique identification number.
- Bank or payment account: IBAN number and account open and close dates, as applicable.
- Safe deposit box: Name of the lessee, duration of the lease and other identification data required under national provisions, or a unique identification number.
Under the 5AMLD, member states can also consider requiring other information deemed essential for FIUs and competent authorities to be accessible and searchable through the centralised mechanisms.
Given that there are significant differences across FIU competencies and powers among EU member states, the 5AMLD aims to create a more efficient and coordinated approach to dissemination and sharing of information across FIUs and supervisory authorities. Under the directive, the powers of the FIUs have been increased to permit requests for information from any obliged entity without requiring the submission of a suspicious transaction report or requiring identification of a predicate offense. In doing so, the directive aims to make information readily accessible to FIUs and financial supervisory authorities while alleviating any issues in information sharing where differences in the definitions of associated predicate offenses may exist across member states.
How to Prepare
As member state FIUs will be permitted to request information from any obliged entity, financial institutions should ensure that effective mechanisms are in place to coordinate information internally and enable timely responses to requests from FIUs.
In the handling of these information requests, resources may need to be trained on applicable data privacy laws, utilisation of beneficial ownership and bank account data in the central registers, and new processes to provide information to FIUs.
- Consistent Approach Toward High-Risk Third Countries
The 5AMLD puts an impetus on member states to apply a specific list of Enhanced Due Diligence (EDD) measures for transactions involving entities recorded on a list of so-called high-risk third countries and sectors as defined by the European Commission. The high-risk third countries have been identified as having deficiencies in their AML regimes; this list may include third countries with low transparency on beneficial ownership information or with sanctions restrictions in place, or those countries that are uncooperative or noncompliant regarding the exchange of information.
By outlining the minimum EDD measures obliged entities must apply to transactions involving natural persons and legal entities established in the specified third countries, the directive is seeking to provide a formalised and consistent approach across the EU member states and reduce the ability of terrorists to exploit weaknesses in these measures.
How to Prepare
Obliged entities should review and prepare to adopt the EU list of money laundering high-risk third countries into existing KYC processes. A process to identify and manage ongoing changes to the list of third countries as defined by the European Commission should also be considered and implemented.
Risk rating methodologies, KYC systems and procedures should be impact-assessed and may require updating to fully address the EDD requirements set out in the 5AMLD for all transactions involving high-risk third countries. Updates to procedures and implementation of such measures should be proportionate to the scale of potential risk. Staff awareness and training regarding these requirements should also be introduced for legal entities and persons transacting with such third countries.
While obliged entities may still be adjusting to the requirements from the recently enforced Fourth AML Directive, the expanded scope of entities covered by the new fifth directive plus additional new requirements for those firms already covered by the 4AMLD will lead to further change as ML/TF remains a key area of regulatory focus.
Thank you to the following Protiviti consulting professionals who contributed to this report: Erin Gavin and Helen Van Riel.