22 July 2015
The Fourth European Union (EU) Anti-Money Laundering Directive (Fourth Directive) was approved by the European Council on February 10, 2015, and by the European Parliament on May 20, 2015. The Fourth Directive was published in the official European Commission Journal on June 8, 2015, succeeding the Third EU Anti-Money Laundering Directive (Third Directive) ratified in 2005. Member States are required to incorporate the Fourth Directive into national laws by June 26, 2017, while financial institutions, accountants, tax advisers, lawyers, trust providers and estate/letting agents with whom the trustees form a business relationship (so-called “Obliged Entities” formerly known as “Designated Persons”) must comply with these laws starting June 26, 2017. The purpose of the Fourth Directive is to strengthen the EU rules against money laundering while aligning the international approach with the adoption of recommendations by the Financial Action Task Force (FATF), an inter-governmental body, which are broadly considered to be the global standards for combating money laundering and terrorist financing.
The core areas of the Fourth Directive remain in line with the Third Directive but there have been key updates in six components of the new Directive:
- Risk Based Approach
- Beneficial Ownership
- Politically Exposed Persons (PEPs)
- Policies and Procedures
- Cash Payments
This Flash Report summarizes the changes made to each of these categories, and provides brief guidance to the industry on how to approach each change.
What Are the Updates and What Should Financial Institutions Do?
Risk Assessments – The Fourth Directive comprises a new requirement for EU Member States to complete risk assessments at the national level. The results of these risk assessments will be made available to Obliged Entities and other Member States to identify, understand, manage and mitigate their risks. Furthermore, the European Commission will conduct an assessment of the risks of money laundering and terrorist financing at a supra-national level for distribution to the Member States at least every two years in a bid to better identify cross-border threats, which may not be identified by individual Member States.
Simplified Due Diligence (SDD) – The Fourth Directive has removed the automatic entitlement to apply SDD for specified customers and products. This is a change from current procedures, where Obliged Entities are permitted to apply SDD where a customer falls into a certain category (e.g. a financial institution listed on a regulated market). The Fourth Directive now requires Obliged Entities to determine the level of risk posed by a customer prior to applying SDD, and will subsequently be required to provide robust rationale and justification if SDD is deemed appropriate.
Record Keeping – The Fourth Directive outlines updated record keeping requirements in relation to Customer Due Diligence (CDD). The retention policy to keep a copy of documents five years after the end of the business relationship remains; however, the Fourth Directive outlines newly-adopted requirements upon expiry of the retention period. Specifically, personal data (defined within Directive 95/46/EC, or the Data Protection Directive, to include any information relating to an identified or identifiable natural person) should be deleted unless provided for by national law, while further retention will only be granted if necessary for prevention, detection or investigation of money laundering and terrorist financing. It is important to note that the maximum retention period will not exceed ten years from the end of the business relationship. This update is important in aligning CDD requirements with data protection policies and procedures.
Risk Assessments – The results of the risk assessments at the national and EU level should be utilized by Obliged Entities and incorporated into their own risk assessments (e.g. Geographic Risk Assessments) to improve AML/CTF controls in their own institutions.
SDD – Organizations will now need to provide full justification to the regulators for applying SDD to particular customers. Institutions should evaluate their risk assessment methodologies currently in place from a qualitative and quantitative perspective, as further narrative rationale may be required in order to justify the risk associated with specific customers, products and jurisdictions within the organization. Organizations should use the results of risk assessments to determine clear distinctions among the different levels of due diligence applicable to particular customers and the varying risk levels associated to ultimately identify lower risk customers to which SDD could be applied.
Institutions should also perform impact assessments to see how this may affect CDD and transaction monitoring. For example, in the past it was acceptable for Obliged Entities to apply SDD automatically to respondents that were publicly listed and well-known global institutions. That is no longer the case with the Fourth Directive. Obliged Entities will need to justify why some of their respondents require less due diligence than others.
Record Keeping – Entities must ensure they adhere to the record keeping policies in order to avoid penalties and regulatory violations, particularly with regard to protection of personal data. Policies and procedures may need to be updated and redistributed in order for employees to be made aware of the necessary requirements. Clearly articulated policies and procedures will be needed on when and how it is acceptable to destroy documentation. Institutions should consider any third-party vendors who help store records, and review the terms and conditions of their contracts to ensure they are in line with the new requirements.
As a result of the Fourth Directive making tax evasion a predicate offense to money laundering, the Fourth Directive also proposes enhanced clarity and transparency of beneficial ownership information whilst bringing about a number of fundamental changes to UK company law. Obliged Entities will still be required to identify parties and conduct CDD in respect of any beneficial owner that controls more than 25% of the shares or voting rights of a business. In addition, there will be more stringent requirements for maintaining records to evidence beneficial ownership, alongside new laws abolishing the current practice of corporations acting as directors. The Fourth Directive further requires that ultimate beneficial owners of companies and other legal entities, including foundations and legal arrangements similar to trusts, be listed on central registers which will be accessible by persons including Obliged Entities and competent authorities. Beneficial ownership information will need to be available to Obliged Entities carrying out their AML/Counter Terrorist Financing (CTF) due diligence and to law enforcement agencies. For cases where no ultimate owner can be identified, a senior manager will be deemed sufficient to meet identification requirements.
Furthermore, entities incorporated within Member States will be required to take reasonable steps in identifying individuals they know, or suspect to, hold significant control of entities (25 percent or more).
This will require additional due diligence from entities to screen, identify and maintain a register of individuals with significant control of the entity and report to the relevant parties in order to avoid penalties and criminal conviction.
Per the emphasis on transparency within the Fourth Directive, Member States will be required to prohibit companies from issuing bearer shares. Current bearer shareholders will be permitted a nine-month period in which to surrender their shares in exchange for registered shares.
Corporate and other legal entities incorporated within Member States will need to ensure their current information on beneficial owners is adequate, accurate and up-to-date. Data protection and sensitivity will need to be considered with caution when disclosing information on public registers.
Obliged Entities should consider the potential impact of the public registers of beneficial owners. For instance, how this information will be incorporated into the customer risk rating tools, how increases in risk may affect downstream operations (e.g., CDD, EDD, transaction monitoring), and whether this will lead to any potential de-risking necessities for those customers that will now fall outside the risk appetite of the financial institution.
4. Policies and Procedures
The Fourth Directive more clearly defines the need for policies and procedures to ultimately mitigate AML/CTF risks at the EU, national and business level. The Fourth Directive introduces new requirements for entities to include data protection policies within AML/CTF policies and procedures for customer information sharing, with the primary objective to strengthen controls while maintaining the protection of data.
Alongside this, the Fourth Directive will require Obliged Entities with branches or majority owned subsidiaries outside the EU – where AML/CTF legislation may be deemed deficient – to implement AML requirements of the regulated entity’s home Member State, in order to implement more consistent adherence to policies and procedures both within and outside the EU.
Obliged Entities should reassess current policies and procedures to identify any updates that may be required, particularly with regard to SDD/EDD, Beneficial Ownership, and PEPs (both domestic and foreign).
Additionally, entities should consider drafting a risk appetite statement to outline their approach to the updated definition of domestic PEPs. It is important to note that entities will be required to obtain senior management approval for the policies and procedures, and in turn senior management will be required to monitor and improve the measures taken.
It is particularly important for Obliged Entities, which have responsibilities that extend beyond the EU, to consider these stringent requirements of the Directive toward policies and procedures, especially where other jurisdictions have less stringent requirements.
The Fourth European Union Anti-Money Laundering Directive is intended to update and improve the EU's AML and CTF laws. While Member States have two years to adopt the Fourth Directive’s amendments into national legislation, financial institutions can assess and update their AML frameworks in preparation for the implementation of the new legal and regulatory requirements. Although changes in the Fourth Directive are less significant than some might have expected, financial institutions are encouraged to review their existing policies, procedures and practices against the updated text and make any necessary changes in a timely manner to avoid regulatory criticism.
Content Contributed by:
Thank you to the following Protiviti consulting professionals who contributed to this report:
- Helen Van Riel
- Erin Gavin