The Fourth European Union Directive

Flash Report Hero Image
The Fourth European Union Directive

22 July 2015

The Fourth European Union (EU) Anti-Money Laundering Directive (Fourth Directive) was approved by the European Council on February 10, 2015, and by the European Parliament on May 20, 2015. The Fourth Directive was published in the official European Commission Journal on June 8, 2015, succeeding the Third EU Anti-Money Laundering Directive (Third Directive) ratified in 2005. Member States are required to incorporate the Fourth Directive into national laws by June 26, 2017, while financial institutions, accountants, tax advisers, lawyers, trust providers and estate/letting agents with whom the trustees form a business relationship (so-called “Obliged Entities” formerly known as “Designated Persons”) must comply with these laws starting June 26, 2017. The purpose of the Fourth Directive is to strengthen the EU rules against money laundering while aligning the international approach with the adoption of recommendations by the Financial Action Task Force (FATF), an inter-governmental body, which are broadly considered to be the global standards for combating money laundering and terrorist financing.

The core areas of the Fourth Directive remain in line with the Third Directive but there have been key updates in six components of the new Directive:

  1. Risk Based Approach
  2. Beneficial Ownership
  3. Politically Exposed Persons (PEPs)
  4. Policies and Procedures
  5. Penalties
  6. Cash Payments

This Flash Report summarizes the changes made to each of these categories, and provides brief guidance to the industry on how to approach each change.

What Are the Updates and What Should Financial Institutions Do?

1. Risk Based Approach
Updates
Impact

Risk Assessments – The Fourth Directive comprises a new requirement for EU Member States to complete risk assessments at the national level. The results of these risk assessments will be made available to Obliged Entities and other Member States to identify, understand, manage and mitigate their risks. Furthermore, the European Commission will conduct an assessment of the risks of money laundering and terrorist financing at a supra-national level for distribution to the Member States at least every two years in a bid to better identify cross-border threats, which may not be identified by individual Member States.

Simplified Due Diligence (SDD) – The Fourth Directive has removed the automatic entitlement to apply SDD for specified customers and products. This is a change from current procedures, where Obliged Entities are permitted to apply SDD where a customer falls into a certain category (e.g. a financial institution listed on a regulated market). The Fourth Directive now requires Obliged Entities to determine the level of risk posed by a customer prior to applying SDD, and will subsequently be required to provide robust rationale and justification if SDD is deemed appropriate.

Record Keeping – The Fourth Directive outlines updated record keeping requirements in relation to Customer Due Diligence (CDD). The retention policy to keep a copy of documents five years after the end of the business relationship remains; however, the Fourth Directive outlines newly-adopted requirements upon expiry of the retention period. Specifically, personal data (defined within Directive 95/46/EC, or the Data Protection Directive, to include any information relating to an identified or identifiable natural person) should be deleted unless provided for by national law, while further retention will only be granted if necessary for prevention, detection or investigation of money laundering and terrorist financing. It is important to note that the maximum retention period will not exceed ten years from the end of the business relationship. This update is important in aligning CDD requirements with data protection policies and procedures.

Risk Assessments – The results of the risk assessments at the national and EU level should be utilized by Obliged Entities and incorporated into their own risk assessments (e.g. Geographic Risk Assessments) to improve AML/CTF controls in their own institutions.

SDD – Organizations will now need to provide full justification to the regulators for applying SDD to particular customers. Institutions should evaluate their risk assessment methodologies currently in place from a qualitative and quantitative perspective, as further narrative rationale may be required in order to justify the risk associated with specific customers, products and jurisdictions within the organization. Organizations should use the results of risk assessments to determine clear distinctions among the different levels of due diligence applicable to particular customers and the varying risk levels associated to ultimately identify lower risk customers to which SDD could be applied.

Institutions should also perform impact assessments to see how this may affect CDD and transaction monitoring. For example, in the past it was acceptable for Obliged Entities to apply SDD automatically to respondents that were publicly listed and well-known global institutions. That is no longer the case with the Fourth Directive. Obliged Entities will need to justify why some of their respondents require less due diligence than others.

Record Keeping – Entities must ensure they adhere to the record keeping policies in order to avoid penalties and regulatory violations, particularly with regard to protection of personal data. Policies and procedures may need to be updated and redistributed in order for employees to be made aware of the necessary requirements. Clearly articulated policies and procedures will be needed on when and how it is acceptable to destroy documentation. Institutions should consider any third-party vendors who help store records, and review the terms and conditions of their contracts to ensure they are in line with the new requirements.

2. Beneficial Ownership
Updates
Impact

As a result of the Fourth Directive making tax evasion a predicate offense to money laundering, the Fourth Directive also proposes enhanced clarity and transparency of beneficial ownership information whilst bringing about a number of fundamental changes to UK company law. Obliged Entities will still be required to identify parties and conduct CDD in respect of any beneficial owner that controls more than 25% of the shares or voting rights of a business. In addition, there will be more stringent requirements for maintaining records to evidence beneficial ownership, alongside new laws abolishing the current practice of corporations acting as directors. The Fourth Directive further requires that ultimate beneficial owners of companies and other legal entities, including foundations and legal arrangements similar to trusts, be listed on central registers which will be accessible by persons including Obliged Entities and competent authorities. Beneficial ownership information will need to be available to Obliged Entities carrying out their AML/Counter Terrorist Financing (CTF) due diligence and to law enforcement agencies. For cases where no ultimate owner can be identified, a senior manager will be deemed sufficient to meet identification requirements.

Furthermore, entities incorporated within Member States will be required to take reasonable steps in identifying individuals they know, or suspect to, hold significant control of entities (25 percent or more).

This will require additional due diligence from entities to screen, identify and maintain a register of individuals with significant control of the entity and report to the relevant parties in order to avoid penalties and criminal conviction.

Per the emphasis on transparency within the Fourth Directive, Member States will be required to prohibit companies from issuing bearer shares. Current bearer shareholders will be permitted a nine-month period in which to surrender their shares in exchange for registered shares.

Corporate and other legal entities incorporated within Member States will need to ensure their current information on beneficial owners is adequate, accurate and up-to-date. Data protection and sensitivity will need to be considered with caution when disclosing information on public registers.

Obliged Entities should consider the potential impact of the public registers of beneficial owners. For instance, how this information will be incorporated into the customer risk rating tools, how increases in risk may affect downstream operations (e.g., CDD, EDD, transaction monitoring), and whether this will lead to any potential de-risking necessities for those customers that will now fall outside the risk appetite of the financial institution.

3. PEPs
Updates
Impact
The Fourth Directive broadens the definition of PEPs while also clarifying the requirements for carrying out enhanced due diligence (EDD) on these persons. PEPs will now encompass persons entrusted with a prominent public position domestically (e.g. heads of state, members of government, judges etc.) as well as domestic PEPs who work for international organizations. Moreover, a “Domestic PEP” will be specifically defined as a prominent public individual within the EU, whereas a “Foreign PEP” will strictly refer to those prominent individuals from outside the EU. In addition, where a PEP is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent function by an international organization, Obliged Entities must consider the continuing risk posed by that individual for at least 12 months, and until it is deemed that the person does not pose further risk specific to politically exposed persons.
The extended scope and definition of PEPs will require businesses to review their risk appetite statement, and update systems and controls to ensure they can identify domestic and foreign PEPs,  as well as apply the appropriate level of due diligence, or enhanced due diligence, necessary. Policies and procedures will also need to be amended in order for employees to understand the new EDD requirements and adhere to the enhanced measures set out in the Fourth Directive. Obliged Entities will also need to consider whether they need to apply a different level of risk for domestic PEPs as defined by the EU (e.g. domestic to the EU) vs. PEPs that are domestic to the Member State in which the Obliged Entity is domiciled. In considering the continued risk posed by a PEP no longer entrusted with a prominent public function, Obliged Entities should apply appropriate risk-sensitive measures and caution (such as conducting enhanced and ongoing monitoring of business relationships, and establishing the source of wealth and funds involved in transactions of these persons) for at least 12 months from the initial date the PEP is deemed no longer entrusted.

4. Policies and Procedures

Updates
Impact

The Fourth Directive more clearly defines the need for policies and procedures to ultimately mitigate AML/CTF risks at the EU, national and business level. The Fourth Directive introduces new requirements for entities to include data protection policies within AML/CTF policies and procedures for customer information sharing, with the primary objective to strengthen controls while maintaining the protection of data.

Alongside this, the Fourth Directive will require Obliged Entities with branches or majority owned subsidiaries outside the EU – where AML/CTF legislation may be deemed deficient – to implement AML requirements of the regulated entity’s home Member State, in order to implement more consistent adherence to policies and procedures both within and outside the EU.

Obliged Entities should reassess current policies and procedures to identify any updates that may be required, particularly with regard to SDD/EDD, Beneficial Ownership, and PEPs (both domestic and foreign).

Additionally, entities should consider drafting a risk appetite statement to outline their approach to the updated definition of domestic PEPs. It is important to note that entities will be required to obtain senior management approval for the policies and procedures, and in turn senior management will be required to monitor and improve the measures taken.

It is particularly important for Obliged Entities, which have responsibilities that extend beyond the EU, to consider these stringent requirements of the Directive toward policies and procedures, especially where other jurisdictions have less stringent requirements.

5. Penalties
Updates
Impact
Minimum penalties are set out in the Fourth Directive that apply to breaches by Obliged Entities, which are serious, repeated, and/or systematic in the areas of customer due diligence, suspicious transactions reporting, record keeping and internal controls. Administrative penalties for breaches by natural or legal persons include public reprimand, cease and desist from conduct, suspension of authorization, temporary ban from managerial functions and maximum pecuniary sanctions of at least twice the amount of the benefit derived from the breach, or at least EUR 1 million. For breaches concerning a credit institution or financial institution, the maximum pecuniary penalties for a legal person are at least EUR 5 million or 10 percent of the total annual turnover, and at least EUR 5 million for a natural person. This is a change from the Third Directive where minimum penalties were not defined. The Third Directive required Member States to ensure that appropriate administrative measures or penalties could be imposed on credit and financial institutions that would be effective, proportionate and dissuasive.
Obliged Entities should ensure awareness of the sanctions set forth in the Fourth Directive and promote compliance with all AML/CTF obligations in order to avoid reputational damage and administrative and financial sanctions.
6. Cash Payments
Updates
Impact
The scope of the provisional Fourth Directive will now include traders in goods that make or receive cash payments of EUR 10,000 or more, either in a single operation or in several transactions that appear to be linked. The Fourth Directive now requires traders to conduct customer due diligence for transactions of EUR 10,000 or more. This threshold has been lowered from EUR 15,000 or more in the Third Directive.
As due diligence thresholds have been lowered for cash payments, institutions should review their policies and procedures for accepting and monitoring cash payments to ensure they incorporate and comply with the updated guidance.

Summary

The Fourth European Union Anti-Money Laundering Directive is intended to update and improve the EU's AML and CTF laws. While Member States have two years to adopt the Fourth Directive’s amendments into national legislation, financial institutions can assess and update their AML frameworks in preparation for the implementation of the new legal and regulatory requirements. Although changes in the Fourth Directive are less significant than some might have expected, financial institutions are encouraged to review their existing policies, procedures and practices against the updated text and make any necessary changes in a timely manner to avoid regulatory criticism.

Content Contributed by:

Bernadine Reese
Managing Director
+44.0207.024.7589
Carol Beaumier
Managing Director
+1.212.603.8337
Luis Manuel Canelon
Associate Director
+44.0207.024.7509

Acknowledgments

Thank you to the following Protiviti consulting professionals who contributed to this report:

  • Helen Van Riel
  • Erin Gavin
CATEGORY TOPIC:
CATEGORY INDUSTRY:

Ready to work with us?