The Fourth European Union Anti-Money Laundering Directive and Its Effects on Financial Institutions Operating in the EU
The Fourth European Union Anti-Money Laundering Directive (Fourth AML Directive), approved by the European Parliament on May 20, 2015, went into effect on June 25, 2015, repealing the 2005 Third AML Directive. Given the evolving nature of the money laundering and terrorist financing typologies, as well as the decade-old Third AML Directive in place, the Fourth AML Directive was not an unexpected development. In fact, the European Council approved the Fourth AML Directive as far back as February 2015. However, what does this mean for financial institutions with global operations or those seeking to enter the European markets in the near future?
Key drivers behind this development include some usual suspects, such as the increasing amount of illicit money flooding global markets (the United Nations Office on Drugs and Crime estimates that criminals may launder around $2 trillion annually. Other factors include: disparity of AML guidance implementation within the Member States, the need for alignment with the 2012 Financial Action Task Force (FATF) Recommendations and the 2013 European Commission Money Laundering and Terrorist Financing Impact Assessment. Below is a high-level overview at what the Fourth AML Directive actually says and some significant delta points from the Third AML Directive.
The Fourth AML Directive – Key Points
While the overall tone of the Fourth AML Directive remains consistent with the prior Directive, there have been key updates in several major areas of the document:
Risk-based approach
- Nationwide AML risk assessments. The Fourth AML Directive requires EU Member States to complete national-level risk assessments to identify, understand, manage and mitigate AML risks for individual jurisdictions. The EU Commission will conduct an assessment of the AML and Terrorist Financing (TF) risks at least every two years to identify cross-border threats. These national assessments are expected to assist Financial Institutions in conducting their own AML risk assessments, where factors such as customer, product, geography and channels must be taken into consideration.
- Absence of ‘white-listed’ jurisdictions. Under the Third AML Directive, financial institutions could rely on a ‘white list’ of countries outside of the EU where, according to the regulators, the AML regimes were considered equivalent to those within the EU Member States. This provided financial institutions with certain freedom to operate in such jurisdictions without considering each individual country’s AML risk. The Fourth AML Directive repealed the ‘white list’. Under the new regime, financial institutions must conduct country-specific risk assessments for any jurisdiction outside of the EU where such financial institutions do business.
- More stringent Simplified Due Diligence (SDD) requirements. Previous EU AML regime permitted certain financial institution customers and products to qualify for SDD status when they fell into a certain category (e.g., where a customer is a financial institution listed on a regulated market). The Fourth AML Directive requires financial institutions to determine the level of AML risk posed by a customer prior to applying the SDD status to such customer and provide justification for such qualification.
- Recordkeeping. The recordkeeping requirement for Customer Due Diligence (CDD) records for a period of five years is still in place, in line with the existing AML regime. However, in accordance with the EU Data Protection Directive, any information relating to an “identified or identifiable natural person” must be deleted, unless provided for by national law. Further retention may only be granted if necessary for prevention, detection or investigation of money laundering or terrorist financing, with maximum retention of up to ten years from the end of the business relationship with the affected customer.
- Beneficial ownership CDD and record retention. The Fourth AML Directive proposes enhanced measures for transparency of customers’ beneficial ownership information. In line with the Third AML Directive, financial institutions are still required to identify and conduct CDD on any beneficial owner that controls more than 25% of the shares or voting rights of a customer. However, more stringent beneficial ownership record retention requirements will now be in place. Financial institutions will be obligated to maintain registers of customers’ beneficial owners that must be accessible to law enforcement agencies.
- Bearer shares. Under the Fourth AML Directive, Member States will be required to prohibit companies from issuing bearer shares (defined as an equity wholly owned by a person/entity that holds the physical stock certificate and where the issuing firm neither registers the owner of the stock, nor does it track transfers of ownership). Current bearer shareholders will be permitted a nine-month period to exchange their bearer shares for registered shares.
- Senior management. The Fourth AML Directive introduces the new definition of “senior management” to mean “an officer or employee with specific knowledge of the institution’s exposure to money laundering or terrorist financing risk and sufficient seniority to make decisions affecting its risk exposure.” Unlike the Third EU Directive, where the definition of “senior management” was restricted to members of the Board of Directors of the financial institution, this definition is broader and appears to encompass a significantly wider group.
Tax Crimes
Tax crimes. In a departure from the Third AML Directive, the Fourth AML Directive now includes tax crimes (relating to both direct and indirect taxes) in the broad definition of ‘criminal activity’. This means that tax crimes are now included in the list of predicate offenses for money laundering and terrorist financing activities.
Politically Exposed Persons (PEPs)
Broader and clearer definition of PEPs. The Fourth AML Directive broadens the definition of PEPs and clarifies the requirements for carrying out Enhanced Due Diligence (EDD) on such PEPs. There are now two discrete categories of PEPs: Domestic PEPs and Foreign PEPs. Domestic PEPs are persons entrusted with a prominent public position within the EU and include persons present in the EU who work for international organizations based outside of the EU. Foreign PEPs include prominent individuals from outside of the EU. Where a PEP is no longer entrusted with a prominent public function, financial institutions must consider the continuing risk posed by affiliation with such PEP for at least 12 months (or longer, until the financial institution determines that the risk specific to such PEP has diminished).
Policies and Procedures
- Data protection policies. The Fourth AML Directive introduces new requirements for financial institutions to include data protection policies within their AML policies and procedures for customer information sharing.
- Home Member State AML requirements. The Fourth AML Directive also requires financial institutions with branches outside of the EU, specifically in jurisdictions deemed to have deficient AML and CFT laws, to implement AML requirements of the regulated entity’s home Member State in those branches. This requirement aims to eliminate the discrepancy in standards that the Financial Institutions must follow and raise the standards for AML compliance in operational jurisdictions of certain branches and subsidiaries. In the event a Financial Institution deems application of such standards “impossible”, it should notify competent authorities of the Member State in which its headquarters are located. This requirement is in line with the requirement in the Third AML Directive but has been highlighted by some European compliance publications as a point of closer scrutiny under the Fourth AML Directive.
Penalties
New minimum penalties for financial institutions. For serious, repeated and/or systematic failures in the areas of CDD, suspicious transaction reporting, record keeping and internal controls, minimum penalties may now include: public reprimand, cease and desist orders, suspension of authorization, temporary ban from managerial functions and maximum pecuniary sanctions of at least €5M or 10% of the total annual turnover (and at least €5M for a natural person). For non-financial institutions, penalties can amount to twice the amount of the benefit derived from the breach, or at least €1M. Unlike the prescriptive penalties in the Fourth AML Directive, the Third AML Directive only required Member States to ensure that appropriate administrative measures or penalties could be imposed on Financial Institutions in a manner that would be “effective, proportionate and dissuasive.” For natural persons sanctions could be adjusted “in line with the activity carried out” by that person.[1]
Cash Payments
New CDD transaction thresholds for merchants. The Fourth AML Directive includes a requirement for traders in goods that make or receive cash payments of €10,000 or more (in a single transaction or series of transactions that appear to be linked) to conduct CDD on that customer. This is a departure from the €15,000 threshold previously set by the Third AML Directive.
The Fourth EU AML Directive – Impact
Once Member States begin interpreting and localizing the Fourth AML Directive, there are no guarantees that the desired consistency of implementation (which was one of the stated goals of promulgating the Directive) will be attained. Thus, financial institutions will likely have to consider the overall requirements of the Fourth AML Directive as a baseline for their EU operations first, followed by a more detailed country-by-country assessment of the requirements that go above and beyond the ‘floor’ set by the Fourth AML Directive. For U.S.-based financial institutions, the challenge of reconciling the updated Treasury Department guidance with the Fourth AML Directive requirements and the individual country risk assessments by EU Member States may be particularly daunting. [2]
Furthermore, financial institutions will have to wrangle with reconciling the Fourth AML Directive data retention requirements with EU’s data protection regulations, which are slated to change in the immediate future.[3] This issue will be particularly acute for U.S.-based financial institutions, whose domestic privacy regime is widely regarded to provide weaker privacy and security protections by the EU regulators.
Despite apparent hurdles, the Fourth AML Directive is more prescriptive in many areas, which should clear up some ambiguity plaguing the AML regulatory landscape in the EU over the last decade. However, reconciliation and compliance with the new requirements will be an uphill battle for the next several years, especially for non-EU financial institutions operating across borders. EU Member States are required to undertake legislative action to implement the Fourth AML Directive by June 26, 2017. This provides financial institutions with some time to understand the baseline requirements. However, once Member States start implementing national laws pursuant to the Fourth AML Directive (something that may take significantly longer than the prescribed two years, given the history of extended deadlines for such actions in the EU), financial institutions will have to consider individual Member States’ nuanced requirements and adjust their compliance programs accordingly. This multi-year tiered adjustment process will impact not only financial institutions operating in the EU but also their branches, subsidiaries and may even drive further changes in the foreign financial institutions’ home jurisdictions.
Comparison Chart: Third AML Directive vs. Fourth AML Directive
Category | Third AML Directive | Fourth AML Directive |
Risk-Based Approach | Consider geography, customer, product and channel as part of the risk-based approach in establishing a compliance program. | Consider geography, customer, product and channel as part of the risk-based approach in establishing a compliance program.Include nationwide AML risk assessments conducted by individual EU Member States. |
“Third-country equivalent” (white list) AML systems to the EU permitted a “refutable presumption” of the application of simplified CDD in those jurisdictions.[1] | No white-listed jurisdictions. | |
Customers that are financial institutions located in the EU/EEA, or in a third country which imposes equivalent AML requirements (see above) may be subject to Simplified Due Diligence requirements. | Financial institutions must determine the level of AML risk posed by a customer prior to applying the SDD status to such customer and provide justification for such qualification. | |
CDD records must be retained for 5 years. | CDD records must be retained for 5 years.Any information relating to an “identified or identifiable natural person” must be deleted, unless provided for by national law. Further retention may only be granted if necessary for prevention, detection or investigation of money laundering or terrorist financing, with maximum retention of up to 10 years from the end of the business relationship with the affected customer. | |
Ownership and Management | Identify and conduct CDD on any beneficial owner that controls more than 25% of the shares or voting rights of a customer. | Identify and conduct CDD on any beneficial owner that controls more than 25% of the shares or voting rights of a customer.Information on beneficial owners must be submitted to a central register in each Member State. |
Issuance of bearer shares by companies permitted. | Issuance of bearer shares by companies is not permitted.Current bearer shareholders will be permitted a 9-month period to exchange their bearer shares for registered shares. | |
Senior management = members of the Board of Directors of the financial institution. | Senior management = an officer or employee with specific knowledge of the institution’s exposure to money laundering or terrorist financing risk and sufficient seniority to make decisions affecting its risk exposure. | |
Tax Crimes | N/A | Tax crimes (in the broadest definition permitted under individual Member States’ laws) will be a predicate AML offense. |
PEPs | Politically Exposed Persons (PEPs) = natural persons who are or have been entrusted with prominent public functions and immediate family members, or persons known to be close associates, of such persons. | PEP = a natural person who is or who has been entrusted with prominent public functions and includes the following:(a) heads of State, heads of government, ministers and deputy or assistant ministers; (b) members of parliament or of similar legislative bodies; (c) members of the governing bodies of political parties; (d) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances; (e) members of courts of auditors or of the boards of central banks; (f) ambassadors, chargés d'affaires and high-ranking officers in the armed forces; (g) members of the administrative, management or supervisory bodies of State-owned enterprises; (h) directors, deputy directors and members of the board or equivalent function of an international organization. No public function referred to in points (a) to (h) shall be understood as covering middle-ranking or more junior officials. |
Transactions and/or relationships with PEPs, financial institutions must:(a) have appropriate risk-based procedures to determine whether the customer is a politically exposed person; (b) have senior management approval for establishing business relationships with such customers; (c) take adequate measures to establish the source of wealth and source of funds that are involved in the business relationship or transaction; (d) conduct enhanced ongoing monitoring of the business relationship. | Transactions and/or relationships with PEPs, financial institutions must:(a) have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person; (b) apply the following measures in cases of business relationships with politically exposed persons: (i) obtain senior management approval for establishing or continuing business relationships with such persons; (ii) take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons; (iii) conduct enhanced, ongoing monitoring of those business relationships. | |
N/A | Where a PEP is no longer entrusted with a prominent public function, financial institutions must consider the continuing risk posed by affiliation with such PEP for at least 12 months (or longer, until the financial institution determines that the risk specific to such PEP has diminished). | |
Policies and Procedures | Disclosure of information should be in accordance with the rules on transfer of personal data to third countries as laid down in Directive 95/46/EC of the European Parliament.Information exchanged between financial institutions in connection with AML or CTF investigations shall be used exclusively for the purposes of the prevention of money laundering and terrorist financing. | The Fourth AML Directive “is without prejudice to the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, including Council Framework Decision.”Member States shall ensure that the sharing of information within the group is allowed. Information on suspicions that funds are the proceeds of criminal activity or are related to terrorist financing reported to the FIU shall be shared within the group. FIUs cooperate in the application of state-of-the-art technologies in accordance with their national law. Those technologies shall allow FIUs to match their data with that of other FIUs in an anonymous way by ensuring full protection of personal data with the aim of detecting subjects of the FIU's interests in other Member States and identifying their proceeds and funds. |
Where EU-based financial institutions have branches and subsidiaries located in third countries where the legislation in this area is deficient, they should, in order to avoid the application of very different standards within an institution or group of institutions, apply the Community standard or notify the competent authorities of the home Member State if this application is impossible. | Financial institutions that are part of a group must implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes.Financial institutions that have branches or majority-owned subsidiaries located in third countries where the minimum AML/CFT requirements are less strict than those of the home Member State, must have these branches and majority-owned subsidiaries located in the third country implement the requirements of the home Member State, including data protection, to the extent that the third country's law so allows. Where a third country's law does not permit implementation of the policies and procedures required above, financial institutions must ensure that branches and majority-owned subsidiaries in that third country apply additional measures to effectively handle the risk of money laundering or terrorist financing, and inform the competent authorities of their home Member State. If the additional measures are not sufficient, the competent authorities of the home Member State shall exercise additional supervisory actions, including requiring that the group does not establish or that it terminates business relationships, and does not undertake transactions and, where necessary, requesting the group to close down its operations in the third country. | |
Penalties | Member States should ensure that appropriate administrative measures or penalties could be imposed on financial institutions in a manner that would be “effective, proportionate and dissuasive.”For natural persons sanctions could be adjusted “in line with the activity carried out” by that person. | For serious, repeated and/or systematic failures in the areas of CDD, suspicious transaction reporting, record keeping and internal controls, minimum penalties may include:· public reprimand · cease and desist orders · suspension of authorization · temporary ban from managerial functions, and · maximum pecuniary sanctions of at least €5M or 10% of the total annual turnover (and at least €5M for a natural person). For non-financial institutions, penalties can amount to twice the amount of the benefit derived from the breach, or at least €1M. |
Cash Payments for Merchants | Persons trading in goods must report cash payments of €15,000 or more, either as one or multiple related transactions. | Persons trading in goods must report cash payments of €10,000 or more, either as one or multiple related transactions. |
[1] http://ec.europa.eu/internal_market/company/docs/financial-crime/3rd-country-equivalence-list_en.pdf. [1] http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32005L0060&from=EN [2] http://www.paymentlawadvisor.com/2015/06/22/treasury-department-publishes-national-money-laundering-risk-assessment-and-national-terrorist-financing-risk-assessment/. [3] http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.