European Commission releases ambitious AML/CFT legislative package

Viewpoints
July 23, 2021
4 minutes

On 20 July, the European Commission released its official package of new measures to tackle money laundering and counter-terrorist financing.

Early reports provided some details about the measures including creation of the new EU AML Authority (AMLA) which is expected to become operational in 2024. Other aspects of the legislative proposals include a “single rulebook” of directly applicable customer due diligence (CDD) and beneficial ownership rules, revised crypto-asset regulations, and standardised powers for member state supervisors and FIUs.  It also incorporates the 6th EU money laundering directive (6AMLD) as directly applicable regulation.

The package will hopefully be welcome to many in the industry, not only for providing consistency, but for providing more detail and guidance on how to implement the requirements. The proposals will now be discussed by the European Parliament and Council.

Background

In the past few years, the EU Commission has intensified focus on differences and gaps between member state implementation of the 5th AMLD (and even the 4th before it), particularly in light of recent scandals in the EU bloc. The July 2020 European Banking Authority (EBA) report on national regulators’ AML/CFT enforcement noted significant divergences between member states on almost every level, from risk assessment, resources, and even willingness to enforce AML/CFT breaches.

According to the Commission, all of the recent EU money laundering cases involved cross-border flows, the investigation of which was often hampered by the inability or unwillingness of national FIUs to cooperate.

EU AML Authority (AMLA)

The proposed legislation describes AMLA as the “centrepiece” of the integrated AML/CFT supervisory system. It will coordinate national authorities empowered to supervise AML/CFT and will also have direct supervision of entities posing “high” ML/TF risk.  It will also have powers to draft regulatory and implementing standards, guidelines and recommendations in its area of competence. Although AMLA's competence is limited to EU legislation on AML/CFT, the draft regulation provides for some competencies relevant to AML/CFT, for example related to payment services and digital assets. The proposal also provides for cooperation between AMLA and other EU decentralised agencies where helpful.

In particular, AMLA will have the power to:

  • Ensure group-wide compliance with AML/CFT obligations on FIs (through supervisory reviews and assessments);
  • Conduct periodic reviews of member state financial supervisors;
  • Coordinate peer reviews of non-financial supervisors’ standards and request such non-financial supervisors to investigate compliance and possible breaches;
  • Play a “significant role” in FIUs’ joint analyses, develop appropriate methods and share tools for analysis and information sharing;
  • Adopt and implement regulatory technical standards.

Single EU Rulebook for AML/CFT

The EU Commission announced its intention to create a single rulebook on AML/CFT in its May 2020 action plan. The current framework of AML directives which are not directly applicable has, in the Commission’s view, led to fragmentation and divergent interpretations among member states. The new Rulebook continues to follow the current risk-based approach to AML/CFT, but does not merely transfer the existing directive requirements into regulation. It also includes important substantive changes including:

  • Clarifications on required internal polices, controls and procedures such as the role of the compliance officer, and requirements applicable to parent entities that are not obliged entities and to groups and partnerships;  
  • More granular CDD measures on the identification of the customer and verification of identity, along with clarifications on the use of electronic identification means;
  • New beneficial ownership requirements related to nominees and foreign entities and clarifications on the beneficial ownership of corporates and other legal entities;
  • Requirements related to EDD on PEPs and high risk third countries;
  • Guidance on reporting suspicious transactions, including a common template, and guidance on red flags; and
  • Including in the scope of covered sectors all crypto-asset services providers, crowding funding platforms and migration operators.

Financial institutions designing their financial crime risk assessments may want to review the non-exhaustive list of risk variables included in Annexes I-III of the Rulebook proposal.

AMLA will have the power to impose pecuniary sanction or periodic penalty payments (for ongoing non-compliance), and the Court of Justice of the European Union will have unlimited jurisdiction to review the decision and annul, reduce or increase the fine.

Other notable provisions:

  • Centralised bank account registries
    • Member States will be required to ensure that the information from centralised bank account registries is available through the bank account registers (BAR) single access point which will be developed and operated by the Commission
  • Full application of the EU AML/CFT rules to the digital currency sector
    • Currently, only certain crypto-asset service providers are caught by the EU’s money laundering regime. These proposals will extend to all service providers offering digital currencies.
  • EU-wide limit on large cash payments
    • Limits on cash payments currently exist in around two-thirds of Member States, but at varying levels. The proposals introduce a limit of €10,000 on cash payments.
  • Data protection requirements
    • The Rulebook introduces requirements for the processing of certain personal data, with a shorter time-limit of for the retention of personal data (5 years)
    • Groups have often struggled with balancing data protection and information sharing throughout the group. The proposals state that AMLA will draft regulatory standards specifying the minimum requirements of groupwide procedures and policies, including minimum standards for information sharing within the group in line with data protection requirements.

Conclusion

These reforms will be welcome to many in the industry who have been asking both for more consistency and guidance as well as enforcement tools. While the Rulebook will likely soon go into effect (if no issues are raised by the European Parliament and Council), the effectiveness of the regime may not become clear until AMLA goes into full operation in 2024, particularly with its power to promulgate technical standards and review obliged entity compliance. We will continue to monitor for developments.