Overview
On July 20, 2021, the European Commission published its long-awaited legislative package titled "Anti-money laundering and countering the financing of terrorism" as announced in the Commission’s 2020 Action Plan for a comprehensive EU policy on preventing money laundering and terrorist financing (ML/TF).
As expected, the proposals seek to harmonize the application of more detailed anti-money laundering and counter-financing of terrorism (AML/CFT) rules, by suggesting to create an EU-level AML authority, to strengthen the supervisory framework and further harmonize and detail EU AML/CFT rules, and to adapt such rules to digitalization and technological innovation. Further, in promoting higher disclosure and transparency requirements, the proposed legislation could have far-reaching consequences in relation to those transacting or using cryptocurrencies.
In the following, we provide an overview of the four Commission proposals.
Creation of a new EU AML Authority (AMLA)
A new draft Regulation proposes to create a new AMLA, to be established as of January 1, 2023, and expected to be fully operational by the beginning of 2024. The Commission aims to create a single supervisory framework, in order to avoid inconsistent application of AML/CFT rules by different Member States' regulators. The new authority is expected to begin direct supervisory tasks in 2026, with the aim to address shortcomings identified in AML/CFT supervision. AMLA will not only aim to prevent and help assess ML/TF risks, but also ensure high-quality supervision and supervisory convergence across the EU.
The Commission proposes that AMLA should be attributed the following competences:
- Direct supervision, via joint supervisory teams, over a limited number of the riskiest cross-border financial sector obliged entities. The draft Regulation lays out the criteria against which the obliged entities must be assessed in determining their level of risk, along with the listing process. Those criteria include the extent to which an obliged entity works with third countries that themselves present AML/CFT risks. An obliged entity, as defined under the 4th and 5th Anti-Money Laundering Directives, is subject to the Member States rules implementing the AML Directives, such as customer due diligence. Obliged entities include credit institutions, financial institutions, as well as natural and legal persons acting in the exercise of specific professional activities.
The authority would be vested with supervisory and investigative powers, for instance to determine whether the strategies and mechanisms put in place by the selected obliged entities are adequate to mitigate risks. Moreover, the authority could request the obliged entity, through binding decisions, to strengthen measures or to require the divestment of risky activities. Additionally, AMLA would have the power to impose administrative sanctions of up to a maximum of 10 percent of the annual turnover of the preceding business year or EUR 10 million, whichever is higher. It could also impose a periodic penalty payment in order to compel a selected obliged entity to put an end to a breach or to compel a person to supply complete information or to submit to an investigation.
- Indirect supervision of non-selected obliged entities and non-financial obliged entities, including coordination and oversight of national AML/CFT supervisors. AMLA shall assess activities to ensure high level supervisory standards and practices, following which a report will indicate any measures needed to be taken as a result of the assessment. Moreover, it may issue guidelines and recommendations.
- Coordinate work with Financial Intelligence Units (FIUs) to improve cooperation, in particular by adopting binding templates for reporting suspicious activity from obliged entities to FIUs. But also, by coordinating the conduct of joint analyses of cross-border suspicious activities, and aim to constantly improve such analyses. AMLA can request data and analyses from FIUs that are relevant to the assessment of threats, and issue guidelines and recommendations.
- Monitor developments in third countries and assess threats, vulnerabilities and risks in relation to their AML/CFT systems. Further, AMLA may develop contacts and enter into administrative arrangements with authorities in third countries that have regulatory, supervisory and FIU-related AML/CFT competences.
New Regulation setting out directly applicable AML/CFT rules
As part of the legislative package, the Commission proposed a new draft “AML Regulation” which will contribute to fulfilling the objective of establishing an EU single rulebook. A main issue undermining the EU’s AML/CFT framework is the fragmented application of the rules Therefore, the rules in the AML/CFT Regulation will be more detailed and precise than those currently set out in the AML Directive, and will include a number of regulatory technical standards that will be prepared by AMLA. In particular, the Commission suggests the following amendments:
- Update and broaden the range of obliged entities falling under the scope of the AML Regulation. The scope of crypto-asset service providers (CASPs) is aligned with that of the Financial Action Task Force (FATF) and thus widened; it also includes crowdfunding service providers which fall outside the EU Crowdfunding Regulation, creditors for mortgage and consumer and operators involved on behalf of third country nationals in the context of investor residence schemes.
- Define in more detail obliged entities’ requirements in devising and implementing policies to identify and assess ML/TF risks. This includes appointing a dedicated compliance manager, whose tasks will be further defined, and training staff appropriately. Clarifications are provided in relation to the requirements that apply to groups the role of parent entities that are not themselves obliged entities.
- Clarify provisions on customer due diligence (CDD), in particular in relation to identifying and verifying the customer’s identity, conditions for the use of electronic identification, as well as rules on simplified and enhanced due diligence measures.
- The proposal clarifies the respective conditions for the resort to reliance on CDD already performed by other obliged entities and outsourcing of functions to other entities or service providers, and maintains that the ultimate responsibility for conformity with AML/CFT rules remains with the obliged entity.
- Clarify rules relating to beneficial ownership. More detailed rules are provided to identify the beneficial owner(s) of corporate and other legal entities, and a harmonized approach to the identification of beneficial ownership is laid down.
- The proposal contains a provision preventing traders in goods or services from accepting cash payments of over EUR 10 000 for a single purchase, while allowing Member States to maintain in force lower ceilings for large cash transactions. This ceiling does not apply to private operations between individuals.
- Put an end to anonymous accounts. Credit institutions, financial institutions and CASPs would be prohibited from keeping anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset wallets as well as any account otherwise allowing for the anonymization of the customer account holder. This could impact (or potentially target) criminal organizations active in the ransomware business.
- Clarifications on how to identify suspicious transactions to FIUs in order to facilitate obliged entities’ compliance with their reporting obligations and allow for a more effective functioning of the FIUs’ analytical activities and cooperation.
- Adapt policy in relation to third countries identified as posing risk based on FATF assessment or the Commission’s assessment. Third countries so identified by the Commission will be subjected to two different sets of consequences, proportionate to the risk they pose to the EU’s financial system.
The Regulation will apply three years after the date of entry into force.
Proposal for a 6th AML Directive
The Commission’s proposal for a 6th AML Directive (the Directive) provides for a number of changes of substance aiming to bring about a greater level of convergence in the practices of supervisors and FIUs and in relation to cooperation among competent authorities. However, provisions on risk assessments or the collection of statistics are largely left unchanged, and only reviewed to take stock of the current inefficiencies identified, such as the excessive frequency of the supra-national risk assessment and the requirement to collect statistics on illegal activities.
The draft Directive provides for the following amendments:
- Extension of the frequency of the assessment of AML/CFT risks at EU level to every four years, and report findings to the European Parliament and Council. Member States are also due to carry out national risk assessments at least every four years.
- Clarifications on the responsibilities and powers of national supervisors and the rules for information-sharing between supervisors and obliged entities.
- New provisions on FIUs, including on the financial analysis function of FIUs and on their operational independence, their resources and their security.
- New provisions on AML/CFT supervision, including the tasks and powers of national supervisors, and the creation of an AML/CFT supervisory when cross-border credit or financial institutions operate in several Member States.
- New provisions on self-regulatory bodies (SRBs).
Revision of the 2015 Regulation on Transfers of Funds
The Commission’s rationale behind the proposed revised Regulation on Transfers of Funds is to ensure that crypto-asset transfers bear the same obligations as cross-border wire transfers, as both are subject to similar ML/TF risks and such tracing can be a valuable tool in the prevention and detection of ML/TF. While some CASPs are already covered by AML/CFT rules, the proposal extends these rules to the entire crypto-asset sector. Specifically, the Commission suggests to:
- Widen the scope to include CASPs offering a traditional wire transfer service, or a crypto-asset transfer between a CASP and another obliged entity, whether a CASP or an obliged entity, such as a bank. The rules will apply if at least one of the CASPs involved in the transfer of crypto-assets is established in the EU.
- Provide obligations on CASPs of the originator to ensure that transfers of crypto-assets are accompanied by the originator’s name, account number, address, official personal document number, customer identification number or date and place of birth, along with the beneficiary’s name, and account number when possible.
- Provide obligations on CASPs of the beneficiary to implement effective procedures to detect whether the information on the originator is included in, or follows, the transfer of crypto-assets, and to implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the required information on the originator or the beneficiary is missing.
The extension of the monitoring and retention requirements to providers, including crypto-assets, might have some adverse consequences both for those active in the ransomware business, as well as on businesses transacting with them as part of ransom payments.
Conclusion
The Commission’s ambitious package aims to strengthen the EU’s AML/CFT supervisory framework at both the EU and Member State level, to clarify applicable rules to detect and prevent ML/TF, and to adapt the rules to the digital age. The use of Regulations, as opposed to Directives, will facilitate uniformity as once the rules are adopted in Brussels, they will become directly applicable in all Member States. Further, standards have been harmonized, such as for reporting obligations, customer due diligence, and beneficial ownership information, which overall reduces complexity although provisions have become more stringent.
While far-reaching, the proposals are overall non-controversial and should be approved rather swiftly. Both the Council and the European Parliament have supported the Commission’s suggestion to create an EU AML supervisor and render AML obligations more precise and stringent through a Regulation to ensure uniform application. One of the issues which remain unanswered is in which Member State AMLA’s seat will be established.