San Carlo Square and twin churches at night Turin

How new rules on financial crime will impact the EU AML regime

A new ambitious package overhauls the current EU AML regime, introducing significant change for EU-based firms.


In brief

  • The new regulatory package harmonizes EU anti-money laundering rules and imposes new requirements on EU firms.
  • There will be a new EU-wide supervisory authority with significant powers to ensure compliance and coordinate EU-level cooperation in financial intelligence.
  • There are also new rules on the inclusion of customer data in crypto-asset transfers via an extension in the scope of the existing wire transfer regulation.

On 20 July 2021, the EU’s new anti-money laundering (AML) package was released, comprising four legislative proposals: three regulations, and a directive. These ambitious proposals, which implement the European commission’s (EC) May 2020 Action Plan, constitute the biggest ever overhaul to the EU’s AML/CFT regime.

The proposals uplift the existing regime through the introduction of new rules, updating and refining existing requirements and providing a new approach to supervision. With EU member states currently pursuing their own approaches to supervision and having different expectations with respect to directive implementation and control execution, this will present a big change for financial institutions (FIs).

In this article, we look at four key areas of change as well as examine the impact for firms. While the legislative timetable is yet to be confirmed, firms should be engaging now on the possible changes, both technical and operational, and considering how these proposals could impact their current approach.

EY team summary and views of the proposed AML package

The EU AML package introduces:

  • An EU rule book on AML and combatting the financing of terrorism (CFT) creating a harmonized set of detailed requirements that will be directly applicable to firms in scope
  • The establishment of an EU-wide AML supervisory authority, AMLA
  • An EU-wide financial intelligence unit (FIU) to act as a coordination and support mechanism, to be overseen by AMLA
  • An extension of the scope of the wire transfer regulation (2015/847) to cover crypto assets and new requirements for crypto asset service providers (CASPS), payment service providers (PSPs) and intermediate payment service providers (IPSPs)

This package may be the start of a new era for AML/CFT compliance and how it is conducted across the EU - shifting towards consolidated European AML and CFT compliance functions and thus achieving a truly European approach to money laundering /terrorist financing (ML/TF) prevention.

Introducing harmonized EU AML rules has the potential to close some gaps and loopholes in the EU regime previously exploited, deter regulatory shopping, and also facilitate the streamlining of compliance functions, bringing many efficiencies with it.

Overall, the extent of change to be brought about by the AML package is substantial and will be more impactful than its legislative predecessors. As with any major proposed change, there are some areas that need further consideration, including clarity with respect to some of the provisions in the AML/CFT Rulebook. Aspects of the proposals as currently written could result in unintended consequences, which could detrimentally impact risk management. For example, the proposed outsourcing prohibitions and the introduction of a minimum five-year period for periodic review are areas where amendments to the text would be beneficial to achieve absolute clarity. For smaller FIs, with less well-established and resourced compliance functions, the extent of changes could be particularly impactful and expensive to implement.

Further, with the significant move towards EU harmonized AML rules, it is not clear how prominently the risk-based approach will feature in the future in the EU AML regime. A harmonized approach to the AML rules somewhat confuses messaging from previous years about risk-based application of controls. Guidance from AMLA, once it is established, about the extent to which firms can and should apply this in future would be beneficial.

There will likely be refinement of the existing proposals as stakeholders across the EU comment. It is likely that lobbying of the European Parliament or Council by interested groups will occur to amend some of the proposed changes or remove some altogether. As such, the final text may differ significantly from the current proposals.

How can FIs start preparing?

There is still a long road ahead before the requirements are finalized and firms need to implement changes in their control frameworks. Implementation dates will depend on the swiftness of the legislative process. However, the EC has indicated that it is “hopeful for a speedy legislative process” which could see the new AML regulations and directive finalized in 1-2 years, with then more lead time for implementation into national member state rules. The AMLA is due to commence general activities by 2024 and will be fully resourced by 2026.

Firms will need to be proactive throughout the legislative process as further updates and clarifications are made. While adjusting AML/CFT controls now would be premature, dedicating resources to follow the proposals and developing impact assessments would mean systems, controls, policies, procedures, people and technology, can all be adapted or enhanced ahead of implementation.

Customer experience will undoubtedly be impacted by the new proposals and firms would be wise to think about implementation strategies early on. For many, utilizing this as an opportunity for broader transformation or optimization of AML/CFT frameworks would be beneficial.

1

Chapter 1

The proposal introduces a single rulebook for AML

A significant shift towards harmonization will mean changes needed across several areas.

Arguably the largest and most impactful of the proposals is the proposal for a Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, or in other words, a proposal for EU single rulebook on AML/CFT. Key areas of change are outlined below:

Increased scope of obliged entities

The Regulation proposes to include new types of firms in the scope of the AML/CFT rules including:

  • Unregulated crowdfunding service providers
  • Creditors for mortgage and consumer credits, and associated intermediaries
  • Investment migration operators

In addition, there has been an amendment to the scope for persons storing, trading or acting as intermediaries in the trade of works of art, and an expansion of the scope for crypto asset firms.

Roles and responsibilities

There is a new requirement to designate a compliance manager with specific tasks and duties, including responsibility for implementing policies, controls and procedures. The role is also responsible for reporting significant weaknesses to the board of directors.

The Regulation also further defines the roles of a compliance officer by making it clear they hold responsibility for day-to-day operation of AML/CFT policies.

Many firms will currently have these responsibilities split across teams, and individuals, and thus roles and responsibilities may require adjustment to address this requirement.

Additionally, the Regulation stipulates that compliance functions should have adequate resources, staff and technology and that those responsible for those functions are to be granted the powers to propose measures necessary to ensure effectiveness of policies, controls and procedures. With compliance functions often under-resourced, this will be welcomed. However, firms could come under pressure to clearly demonstrate that these functions are adequately resourced, especially in light of any adverse control effectiveness findings.

Customer due diligence measures

The Regulation explicitly sets out the specific information and documentation to be obtained as part of identification and verification (ID&V) for natural persons, legal entities and trusts, providing much greater detail than at present. While firms will already be collecting information and verification documents during onboarding, they may not be doing so to the extent laid out in this Regulation and as such a gap assessment against procedures should be conducted.

There is also a new requirement for firms to obtain information on the source and destination of funds as well as the estimated amount and economic rationale of envisaged transactions or activities. With source of funds (SOF) only a specific requirement for politically exposed persons (PEP) relationships under the fourth anti-money laundering Directive (4AMLD), firms currently adopt different approaches, and in many cases, don’t ask for destination of funds, estimated amounts or economic rationale. Firms would need to consider policy and procedure updates, training, and impacts on resourcing and technology systems.

A new ongoing monitoring requirement mandates firms to update customer information with a minimum frequency of five years. Some firms have higher review frequencies, whilst others are currently pursuing event-driven reviews as an option, whereby low-risk customers are reviewed only on a trigger basis and not subject to a review frequency. Such firms need to ensure review periods do not exceed the new five-year threshold and adjust any existing trigger-based review methods or technology accordingly.

The threshold for applying customer due diligence (CDD) measures for occasional transactions has been reduced from 15,000 EUR to 10,000 EUR, thus triggering additional CDD requirements for firms.

Enhanced due diligence (EDD)

Currently, the EU’s high-risk third country (HRTC) list is limited to countries with “strategic deficiencies.” Now the Commission is required to expand this list by identifying countries with “compliance weaknesses” in their national AML/CFT regimes as well as countries “posing a threat to the Union’s financial system.” EDD measures are to be applied in both cases.

Whilst it is likely that any additions to the EU’s HRTC list will already have been identified by the financial action task force (FATF) or classified by firms themselves as high risk, they may not currently automatically trigger EDD. This means firms may need to prepare for more of their customer base to require automatic EDD, albeit the extent of impact will not be clear until the lists are released.

Outsourcing

The Regulation clarifies that firms may outsource tasks deriving from CDD only. Given the definition of CDD includes ongoing monitoring, including the scrutiny of transactions, this should mean that automated transaction monitoring (TM) is permitted to be outsourced. Prohibitions on tasks that “shall not be outsourced under any circumstances” are also introduced. Notable prohibitions include:

  • The approval of the risk assessment and attribution of customer risk profile
  • Identification of criteria for detection and reporting of suspicious transactions or activities
  • Development and drawing up of internal policies, controls and procedures

This article documents further information and associated impacts on what the proposed outsourcing changes may mean for individual firms.

Beneficial ownership and control

Clarification on the definition of “control through ownership interest” and a new definition of “control via other means” has been provided. Many member states’ legislation doesn’t define “control” in this level of detail, and as such firms need to ensure that existing definitions are uplifted where required.

Reporting obligations

It is particularly notable that this Regulation includes significant detail with respect to obligations for submitting suspicious activity reports (SAR) or suspicious transaction reports (STR). Currently member states define reporting requirements in national legislation.

  • The Regulation requires firms to respond to FIU requests for information (with respect to STRs or SARs) within five days, and in certain cases, the FIU may shorten this to 24 hours. This short timeframe could have material impacts, particularly for large firms that file a high number of SARs or STRs who may require additional resources to meet this timeframe.

  • Firms cannot undertake transactions for the customer which are deemed to be suspicious until an STR or SAR has been made to the FIU, and any further FIU instructions have been actioned. This would mean firms refraining from carrying out transactions deemed suspicious until they have been granted consent by the FIU.

This will be a new concept for certain member states and firms in those countries. They will need to embed this new requirement into existing systems, controls, procedures and training. Staff will also need to be trained on how to handle customers when transactions need to be held back while awaiting consent from the FIU, without “tipping off” a customer that an investigation may be underway.

Given member states deviate with regards to current rules around STR or SAR submission, the process will increase in complexity for firms in certain member states and could be particularly impactful on existing processes. Albeit, overall, the proposals should improve the effectiveness of national money laundering investigations.


2

Chapter 2

The proposals establish a new supervisory authority - AMLA

Anti-money laundering authority (AMLA) will be at the heart of supervision, boosting co-operation between EU regulators.


The package includes a proposal for a Regulation establishing the AMLA creating an integrated, EU-level supervisor for countering money laundering and terrorist financing and establishing a support and cooperation mechanism for FIUs. This is also supported by a proposal for a sixth anti-money laundering directive (6AMLD) establishing the mechanisms that member states should put in place to prevent the use of the financial system for ML or terrorist financing (TF) purposes.

AMLA will sit at the center of an enhanced EU AML/CFT supervisory system, directly supervising some key European Financial Institutions and promoting international cooperation and consistency between EU supervisors.

Currently at the EU level, both the European central bank (ECB) and the European banking authority (EBA) act as supervisors. The EBA, which sets AML/CFT standards for the banking sector, plays an especially prominent AML/CFT role since its mandate was expanded in January 2020. While the EBA has coordinated investigations and reviewed breaches of AML/CFT standards, it lacks formal enforcement powers, experience outside of the banking sector and an adequate governance structure. Further, with a small AML/CFT team of approximately 10 people, the EBA is not resourced to effectively supervise a range of EU firms (compared with the planned 250 resources for AMLA).

Scope of AMLA supervision and enforcement

Once a harmonized EU AML rulebook has been successfully implemented, AMLA will directly supervise the highest-risk financial institutions with a presence in multiple EU jurisdictions, known as selected obliged entities, via joint teams led by AMLA, but including staff of national supervisory authorities. selected obliged entities will be supervised by AMLA with a whole of EU focus, considering the ML or TF risk posed not by individual entities, but by the entire group. While this will mean enhanced regulatory focus on these institutions, they may also benefit from interacting with a single EU supervisory body, potentially reducing the cost of compliance.

Other financial institutions and all non-financial institutions which are subject to the AML rulebook across the EU will be indirectly supervised by AMLA, through AMLA’s coordination of national supervisors and power to set supervisory standards.

AMLA may direct national supervisors to enforce the AML rulebook in respect of any firm and where the local supervisory regime is not enforcing EU law effectively, AMLA may directly intervene. This is anticipated to enhance regulatory focus in jurisdictions where local regulators have been historically less active.

AMLA key tasks and activities

For directly supervised obliged entities, AMLA is expected to be responsible for ensuring compliance with AML/CFT regulations. This is also expected to include coordinating with other supervisors to establish group-wide supervision, as well as establishing and maintaining a database on risks and vulnerabilities of obliged entities to support supervisory activity.

AMLA’s key tasks in relation to EU national regulators will be issuing formal opinions and guidance to promote consistency in the application of the AML rulebook. AMLA will also promote co-operation amongst regulators and will publish thematic reviews of EU-wide ML or TF trends.

In addition, AMLA will regularly assess the effectiveness of financial and non-financial supervisors by assessing their strategy, capacity and resourcing and by functioning as a supervisor of last resort to enforce EU law.

Powers and authority of AMLA

AMLA will be responsible for establishing joint supervisory teams with all relevant national regulators and each selected obliged entity. This is intended to give a group-wide, European view of ML or TF risk.

The proposal gives AMLA the authority to issue guidance to and conduct investigations of selected obliged entities and to impose fines for breaches of ML or CFT rules. Fines can be up to €10m or 10% of annual turnover, depending on the nature of the breach, and further fines can be imposed for each day a breach is un-remediated.

With respect to FIUs, AMLA will be able to obtain relevant information and documentation for it to perform its tasks, as well as issue guidelines and recommendations. AMLA is also expected to provide technical advice on the development of standards and future rules to the European parliament, council and commission.

Reporting of ML or TF risk by national supervisors

AMLA can, on its own account, ask a national regulator to investigate a non-supervised entity for breaches of EU Law. If AMLA is not content with the financial supervisor’s response, then they may act as though they are the supervisor, including commencing an investigation and/or issuing fines.

Further where an entity, not directly supervised, is exposed to very substantial ML or TF risk, then financial supervisors need to provide formal notification to AMLA.

What are the potential impacts for firms?

The proposal to introduce a stand-alone, well-resourced, and single EU supervisor promises to improve the consistency and standard of AML/CFT supervision across the region. AMLA will work to ensure the consistent application of the new AML rulebook by directly supervising selected high-risk firms and through monitoring national supervisors to ensure they are acting in line with EU standards and AMLA’s expectations.

Accordingly, while all firms should consider the implications of this proposal, it is expected that AMLA will have the greatest impact on:

  • Firms with a significant presence across the EU and higher ML or TF risk. These should expect direct supervision by AMLA.

  • Firms operating in member states with weaker AML/CFT regimes. These should anticipate material changes and enhancements to their local AML/CFT frameworks as regulatory and supervisory standards increase, including potential direct supervision by AMLA.

  • Non-financial sector firms who traditionally have been subject to limited AML/CFT supervision. These should prepare for a more noticeable supervisory presence as AMLA oversees the enforcement of AML rules by national regulators in non-financial sectors industries such as gambling, manufacturing, and real estate.

In the near term, it is likely that many firms will need to afford attention and resources in light of heightened supervisory presence and enhanced regulatory standards. Selected Obligated Entities will also need to consider the impact on their budget of being required to contribute supervisory fees to AMLA.

As the unified framework develops in tandem with the single unified supervisor, all firms will need to consider to what extent they European-ise their compliance functions - rather than continuing to operate in national regulatory silos. In some instances, this may mean that systems or controls mandated by existing national regulators may become less relevant. Instead, EU-wide controls may be both more transparent to the regulator and more efficient for firms to manage. In other instances, firms may need to consider whether their existing assessment and control of risk looks holistically across the EU.


3

Chapter 3

The proposals introduce the FIU coordination and support mechanism

The changes mark an important move to improve and standardize reporting of suspicious activity.


The Regulation and supporting Directive establishing the AMLA also introduces a support and cooperation mechanism for FIUs via the AMLA. Amongst their responsibilities as a coordination hub, AMLA will establish standardized reporting, assist FIUs with joint analyses of SARs and provide stable hosting of the FIU.net platform.

Enhance and standardize suspicious activity reporting

AMLA will develop, share and promote knowledge on detection, analysis, and dissemination methods of suspicious transactions. Part of their responsibility will be to provide specialized training and assistance to FIUs as well as obliged entities and support the interaction between firms and FIUs.

Firms can expect to receive support in developing awareness in detecting suspicious activities, and guidance on reporting to the FIUs. Further, firms should be prepared for AMLA to release standardized templates and models for reporting suspicion, with the aim of increasing the speed and efficiency with which FIUs across member states can coordinate with cross-border information exchange.

These changes have the potential to provide much-needed clarity for firms on FIU expectations. Increased communication and the standardization of approach will help firms streamline their own operations when reporting to multiple law enforcement authorities.

Promoting international cooperation between EU FIUs

AMLA will facilitate joint analysis between FIUs and coordinate exchanges of best practices, including sharing expertise in a specific area. It will also prepare and coordinate threat assessments, as well as strategic analyses of ML or TF threats, risks and methods.

The Regulation establishes clear approaches for cooperation around joint analysis and investigations, with FIUs being required to provide a rationale should they decline participation in the investigation. This has the potential to increase FIU requests for customer information, so firms could expect to see an increase in law enforcement engagement.

Throughout the 6AMLD, it is clear that differences in national laws should not impact FIUs’ ability to provide one another with assistance or limit the exchange of information. As such, firms could see a real increase in the availability of cross-border intelligence that could feed into strengthening financial crime controls.

Comprehensive access to financial intelligence

As established in the Regulation, the management, maintenance and hosting of FIU.net will be transferred from Europol to AMLA. The Commission will take over these responsibilities in September 2021 on an interim basis until AMLA is established.

The Directive requires member states to maintain comprehensive statistics related to the function of their AML/CFT frameworks, including the number of reports made to the FIU, the follow-up given to those reports and types of predicate offences identified. Insufficient feedback from FIU reports has long been a grievance expressed by firms, so better transparency and reporting over the FIU responses could help provide firms with much-needed insights into ML or TF threats and typologies.

As introduced in 5AMLD, 6AMLD requires the establishment of centralized automated mechanisms which allow FIUs immediate and unfiltered access to identity information of payment and bank account holders. 6AMLD also states that these centralized automated mechanisms will be interconnected via a single access point bank account register, which will be developed and operated by the Commission and accessible from all member states. Furthermore, 6AMLD highlights specific information that FIUs should be able to access immediately and directly, including information from obliged entities.

These changes go a long way in addressing difficulties of information exchange across borders, but firms will need to be aware of the data burden that is likely to follow. Firms will need to ensure that any information submitted via centralized mechanisms and provided to FIUs is accurate, of high quality and processes for submitting data are well-governed.


4

Chapter 4

The proposals require additional information for crypto transfers

The proposals include a notable increase in the information required before executing transfers.


The EU AML Package proposes to extend the scope of existing wire transfer regulation (2015/847) to align with the amendments made to Recommendation 16 (travel rule) of the financial action task force.

Collection of information

The Regulation requires that, for transfers of crypto-assets, identifiable information must be held on the originator (for example name, address and place and date of birth) and the beneficiary (name and account number) of the transfer. Information obtained must be kept for a period of five years. The CASP of the originator needs to verify the accuracy of the information on the originator using an independent reliable source before executing the transfer. The CASP will not be able to execute any transfer of crypto assets until this information has been obtained. This requirement seeks to ensure effective and full traceability of crypto transfers.

CASP of beneficiaries

The Regulation requires the CASP of the beneficiary to verify the accuracy of the information on the beneficiary using an independent reliable source, before making the crypto-assets available to the beneficiary (for transfers exceeding EUR 1,000, either single or linked). For transfer values below EUR 1,000, the CASP must verify beneficiary information when payment is made in cash, via anonymous electronic money, or where the CASP has reasonable grounds for suspecting money laundering or terrorist financing.

Incomplete or missing information

In cases where the information outlined above is incomplete or missing, the CASP of the beneficiary will be required to make a risk-based determination regarding whether to execute or reject a transfer of crypto-assets. The CASP of the beneficiary will be required to report failures to verify accurate information, as well as the steps taken to do so, to AML/CFT authorities.

PSPs in the EU

PSPs established in the EU and involved in sending or receiving crypto-assets will, similarly, be required to collect information on the originator and beneficiary of a transaction and verify this information using independent sources. In addition, PSPs and IPSPs of the payer will also need to include the Legal Entity Identifier of the payer and payee when transferring funds when this information is provided by the payer to the payer’s service provider.

How will the proposed changes impact firms?

Certain CASPs (e.g., fiat-to-crypto exchange firms and custody wallet providers) should already be well underway with their AML compliance establishment and enhancement programs to meet requirements of the 5AMLD. Given the increased regulatory attention the sector has attracted, attention on AML controls is likely stronger than ever.

The new rules are less burdensome than other new requirements introduced in the AML rulebook, albeit technology systems to ensure that the required information is transmitted as part of crypto-asset and fund transfers. There is an opportunity for CASPs to roll this into existing AML change programs.

Given PSPs have been under the scope of the wire transfer regulations for some time, the additional requirement to now include payer and payee details on transfer of funds should be relatively straightforward to implement.


Summary

With the sheer scale of change to the EU AML CFT regime being proposed, firms will need to undertake further deep dives into key impacted areas. Beyond the current proposed package, we also expect the Commission to provide (this year) additional guidance on key practical and related challenges for financial institutions: the use of public-private partnerships and compliance with the General Data Protection Regulation.

The Commission’s outreach for stakeholder views has already started. Watch this space for further insights and perspectives on the changes proposed as we continue to monitor the legislative process.

About this article

Related articles

How technology fights FinCrime while enhancing regulatory compliance

EY enabled a large global bank to lead the fight against FinCrime in a way that also helped it improve efficiency and increase compliance. Find out more.