How new rules on financial crime will impact the EU AML regime

Enhanced due diligence (EDD)

Currently, the EU’s high-risk third country (HRTC) list is limited to countries with “strategic deficiencies.” Now the Commission is required to expand this list by identifying countries with “compliance weaknesses” in their national AML/CFT regimes as well as countries “posing a threat to the Union’s financial system.” EDD measures are to be applied in both cases.

Whilst it is likely that any additions to the EU’s HRTC list will already have been identified by the financial action task force (FATF) or classified by firms themselves as high risk, they may not currently automatically trigger EDD. This means firms may need to prepare for more of their customer base to require automatic EDD, albeit the extent of impact will not be clear until the lists are released.

Outsourcing

The Regulation clarifies that firms may outsource tasks deriving from CDD only. Given the definition of CDD includes ongoing monitoring, including the scrutiny of transactions, this should mean that automated transaction monitoring (TM) is permitted to be outsourced. Prohibitions on tasks that “shall not be outsourced under any circumstances” are also introduced. Notable prohibitions include:

• The approval of the risk assessment and attribution of customer risk profile
• Identification of criteria for detection and reporting of suspicious transactions or activities
• Development and drawing up of internal policies, controls and procedures

This article documents further information and associated impacts on what the proposed outsourcing changes may mean for individual firms.

Beneficial ownership and control

Clarification on the definition of “control through ownership interest” and a new definition of “control via other means” has been provided. Many member states’ legislation doesn’t define “control” in this level of detail, and as such firms need to ensure that existing definitions are uplifted where required.

Reporting obligations

It is particularly notable that this Regulation includes significant detail with respect to obligations for submitting suspicious activity reports (SAR) or suspicious transaction reports (STR). Currently member states define reporting requirements in national legislation.

• The Regulation requires firms to respond to FIU requests for information (with respect to STRs or SARs) within five days, and in certain cases, the FIU may shorten this to 24 hours. This short timeframe could have material impacts, particularly for large firms that file a high number of SARs or STRs who may require additional resources to meet this timeframe.
  
  
• Firms cannot undertake transactions for the customer which are deemed to be suspicious until an STR or SAR has been made to the FIU, and any further FIU instructions have been actioned. This would mean firms refraining from carrying out transactions deemed suspicious until they have been granted consent by the FIU.

This will be a new concept for certain member states and firms in those countries. They will need to embed this new requirement into existing systems, controls, procedures and training. Staff will also need to be trained on how to handle customers when transactions need to be held back while awaiting consent from the FIU, without “tipping off” a customer that an investigation may be underway.

Given member states deviate with regards to current rules around STR or SAR submission, the process will increase in complexity for firms in certain member states and could be particularly impactful on existing processes. Albeit, overall, the proposals should improve the effectiveness of national money laundering investigations.

The package includes a proposal for a Regulation establishing the AMLA creating an integrated, EU-level supervisor for countering money laundering and terrorist financing and establishing a support and cooperation mechanism for FIUs. This is also supported by a proposal for a sixth anti-money laundering directive (6AMLD) establishing the mechanisms that member states should put in place to prevent the use of the financial system for ML or terrorist financing (TF) purposes.

AMLA will sit at the center of an enhanced EU AML/CFT supervisory system, directly supervising some key European Financial Institutions and promoting international cooperation and consistency between EU supervisors.

Currently at the EU level, both the European central bank (ECB) and the European banking authority (EBA) act as supervisors. The EBA, which sets AML/CFT standards for the banking sector, plays an especially prominent AML/CFT role since its mandate was expanded in January 2020. While the EBA has coordinated investigations and reviewed breaches of AML/CFT standards, it lacks formal enforcement powers, experience outside of the banking sector and an adequate governance structure. Further, with a small AML/CFT team of approximately 10 people, the EBA is not resourced to effectively supervise a range of EU firms (compared with the planned 250 resources for AMLA).

Scope of AMLA supervision and enforcement

Once a harmonized EU AML rulebook has been successfully implemented, AMLA will directly supervise the highest-risk financial institutions with a presence in multiple EU jurisdictions, known as selected obliged entities, via joint teams led by AMLA, but including staff of national supervisory authorities. selected obliged entities will be supervised by AMLA with a whole of EU focus, considering the ML or TF risk posed not by individual entities, but by the entire group. While this will mean enhanced regulatory focus on these institutions, they may also benefit from interacting with a single EU supervisory body, potentially reducing the cost of compliance.

Other financial institutions and all non-financial institutions which are subject to the AML rulebook across the EU will be indirectly supervised by AMLA, through AMLA’s coordination of national supervisors and power to set supervisory standards.

AMLA may direct national supervisors to enforce the AML rulebook in respect of any firm and where the local supervisory regime is not enforcing EU law effectively, AMLA may directly intervene. This is anticipated to enhance regulatory focus in jurisdictions where local regulators have been historically less active.

AMLA key tasks and activities

For directly supervised obliged entities, AMLA is expected to be responsible for ensuring compliance with AML/CFT regulations. This is also expected to include coordinating with other supervisors to establish group-wide supervision, as well as establishing and maintaining a database on risks and vulnerabilities of obliged entities to support supervisory activity.

AMLA’s key tasks in relation to EU national regulators will be issuing formal opinions and guidance to promote consistency in the application of the AML rulebook. AMLA will also promote co-operation amongst regulators and will publish thematic reviews of EU-wide ML or TF trends.

In addition, AMLA will regularly assess the effectiveness of financial and non-financial supervisors by assessing their strategy, capacity and resourcing and by functioning as a supervisor of last resort to enforce EU law.

Powers and authority of AMLA

AMLA will be responsible for establishing joint supervisory teams with all relevant national regulators and each selected obliged entity. This is intended to give a group-wide, European view of ML or TF risk.

The proposal gives AMLA the authority to issue guidance to and conduct investigations of selected obliged entities and to impose fines for breaches of ML or CFT rules. Fines can be up to €10m or 10% of annual turnover, depending on the nature of the breach, and further fines can be imposed for each day a breach is un-remediated.

With respect to FIUs, AMLA will be able to obtain relevant information and documentation for it to perform its tasks, as well as issue guidelines and recommendations. AMLA is also expected to provide technical advice on the development of standards and future rules to the European parliament, council and commission.

Reporting of ML or TF risk by national supervisors

AMLA can, on its own account, ask a national regulator to investigate a non-supervised entity for breaches of EU Law. If AMLA is not content with the financial supervisor’s response, then they may act as though they are the supervisor, including commencing an investigation and/or issuing fines.

Further where an entity, not directly supervised, is exposed to very substantial ML or TF risk, then financial supervisors need to provide formal notification to AMLA.

What are the potential impacts for firms?

The proposal to introduce a stand-alone, well-resourced, and single EU supervisor promises to improve the consistency and standard of AML/CFT supervision across the region. AMLA will work to ensure the consistent application of the new AML rulebook by directly supervising selected high-risk firms and through monitoring national supervisors to ensure they are acting in line with EU standards and AMLA’s expectations.

Accordingly, while all firms should consider the implications of this proposal, it is expected that AMLA will have the greatest impact on:

• Firms with a significant presence across the EU and higher ML or TF risk. These should expect direct supervision by AMLA.
  
  
• Firms operating in member states with weaker AML/CFT regimes. These should anticipate material changes and enhancements to their local AML/CFT frameworks as regulatory and supervisory standards increase, including potential direct supervision by AMLA.
  
  
• Non-financial sector firms who traditionally have been subject to limited AML/CFT supervision. These should prepare for a more noticeable supervisory presence as AMLA oversees the enforcement of AML rules by national regulators in non-financial sectors industries such as gambling, manufacturing, and real estate.

In the near term, it is likely that many firms will need to afford attention and resources in light of heightened supervisory presence and enhanced regulatory standards. Selected Obligated Entities will also need to consider the impact on their budget of being required to contribute supervisory fees to AMLA.

As the unified framework develops in tandem with the single unified supervisor, all firms will need to consider to what extent they European-ise their compliance functions - rather than continuing to operate in national regulatory silos. In some instances, this may mean that systems or controls mandated by existing national regulators may become less relevant. Instead, EU-wide controls may be both more transparent to the regulator and more efficient for firms to manage. In other instances, firms may need to consider whether their existing assessment and control of risk looks holistically across the EU.

The Regulation and supporting Directive establishing the AMLA also introduces a support and cooperation mechanism for FIUs via the AMLA. Amongst their responsibilities as a coordination hub, AMLA will establish standardized reporting, assist FIUs with joint analyses of SARs and provide stable hosting of the FIU.net platform.

Enhance and standardize suspicious activity reporting

AMLA will develop, share and promote knowledge on detection, analysis, and dissemination methods of suspicious transactions. Part of their responsibility will be to provide specialized training and assistance to FIUs as well as obliged entities and support the interaction between firms and FIUs.

Firms can expect to receive support in developing awareness in detecting suspicious activities, and guidance on reporting to the FIUs. Further, firms should be prepared for AMLA to release standardized templates and models for reporting suspicion, with the aim of increasing the speed and efficiency with which FIUs across member states can coordinate with cross-border information exchange.

These changes have the potential to provide much-needed clarity for firms on FIU expectations. Increased communication and the standardization of approach will help firms streamline their own operations when reporting to multiple law enforcement authorities.

Promoting international cooperation between EU FIUs

AMLA will facilitate joint analysis between FIUs and coordinate exchanges of best practices, including sharing expertise in a specific area. It will also prepare and coordinate threat assessments, as well as strategic analyses of ML or TF threats, risks and methods.

The Regulation establishes clear approaches for cooperation around joint analysis and investigations, with FIUs being required to provide a rationale should they decline participation in the investigation. This has the potential to increase FIU requests for customer information, so firms could expect to see an increase in law enforcement engagement.

Throughout the 6AMLD, it is clear that differences in national laws should not impact FIUs’ ability to provide one another with assistance or limit the exchange of information. As such, firms could see a real increase in the availability of cross-border intelligence that could feed into strengthening financial crime controls.

Comprehensive access to financial intelligence

As established in the Regulation, the management, maintenance and hosting of FIU.net will be transferred from Europol to AMLA. The Commission will take over these responsibilities in September 2021 on an interim basis until AMLA is established.

The Directive requires member states to maintain comprehensive statistics related to the function of their AML/CFT frameworks, including the number of reports made to the FIU, the follow-up given to those reports and types of predicate offences identified. Insufficient feedback from FIU reports has long been a grievance expressed by firms, so better transparency and reporting over the FIU responses could help provide firms with much-needed insights into ML or TF threats and typologies.

As introduced in 5AMLD, 6AMLD requires the establishment of centralized automated mechanisms which allow FIUs immediate and unfiltered access to identity information of payment and bank account holders. 6AMLD also states that these centralized automated mechanisms will be interconnected via a single access point bank account register, which will be developed and operated by the Commission and accessible from all member states. Furthermore, 6AMLD highlights specific information that FIUs should be able to access immediately and directly, including information from obliged entities.

These changes go a long way in addressing difficulties of information exchange across borders, but firms will need to be aware of the data burden that is likely to follow. Firms will need to ensure that any information submitted via centralized mechanisms and provided to FIUs is accurate, of high quality and processes for submitting data are well-governed.

The EU AML Package proposes to extend the scope of existing wire transfer regulation (2015/847) to align with the amendments made to Recommendation 16 (travel rule) of the financial action task force.

Collection of information

The Regulation requires that, for transfers of crypto-assets, identifiable information must be held on the originator (for example name, address and place and date of birth) and the beneficiary (name and account number) of the transfer. Information obtained must be kept for a period of five years. The CASP of the originator needs to verify the accuracy of the information on the originator using an independent reliable source before executing the transfer. The CASP will not be able to execute any transfer of crypto assets until this information has been obtained. This requirement seeks to ensure effective and full traceability of crypto transfers.

CASP of beneficiaries

The Regulation requires the CASP of the beneficiary to verify the accuracy of the information on the beneficiary using an independent reliable source, before making the crypto-assets available to the beneficiary (for transfers exceeding EUR 1,000, either single or linked). For transfer values below EUR 1,000, the CASP must verify beneficiary information when payment is made in cash, via anonymous electronic money, or where the CASP has reasonable grounds for suspecting money laundering or terrorist financing.

Incomplete or missing information

In cases where the information outlined above is incomplete or missing, the CASP of the beneficiary will be required to make a risk-based determination regarding whether to execute or reject a transfer of crypto-assets. The CASP of the beneficiary will be required to report failures to verify accurate information, as well as the steps taken to do so, to AML/CFT authorities.

PSPs in the EU

PSPs established in the EU and involved in sending or receiving crypto-assets will, similarly, be required to collect information on the originator and beneficiary of a transaction and verify this information using independent sources. In addition, PSPs and IPSPs of the payer will also need to include the Legal Entity Identifier of the payer and payee when transferring funds when this information is provided by the payer to the payer’s service provider.

How will the proposed changes impact firms?

Certain CASPs (e.g., fiat-to-crypto exchange firms and custody wallet providers) should already be well underway with their AML compliance establishment and enhancement programs to meet requirements of the 5AMLD. Given the increased regulatory attention the sector has attracted, attention on AML controls is likely stronger than ever.

The new rules are less burdensome than other new requirements introduced in the AML rulebook, albeit technology systems to ensure that the required information is transmitted as part of crypto-asset and fund transfers. There is an opportunity for CASPs to roll this into existing AML change programs.

Given PSPs have been under the scope of the wire transfer regulations for some time, the additional requirement to now include payer and payee details on transfer of funds should be relatively straightforward to implement.