In our previous article, we took a glimpse at the U.S. anti-money laundering labyrinth, while in our present article the 4th AML Directive of the EU is in the center of attention.
Point (4) of the directive emphasizes the international nature of money laundering, calling for actions taken not only at a national level, but even beyond the European Union. This mainly means that the EU regulations, recommendations and directives including the 4th AML directive, should align with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by the FATF in February 2012 (the ‘Revised FATF Recommendations’) as much as possible. One of the traces of the adoption of FATF Recommendations is the greater emphasis on tax-related crimes. Nonetheless, the directive is also careful to respect the often-divergent national definitions of what constitutes a ‘tax crime’.
The path towards international standards also means that mutual evaluation reports issued by FATF and similar international organizations such as MONEYVAL will have an even heavier weight within the EU as well. Their recommendations are expected to be swiftly adopted whenever possible.
Record keeping has also been fixed to 5 years. The customer due diligence thresholds have also been altered to any single or related transactions reaching or exceeding €15 000, while this threshold for gambling service providers is €2000 in case of a single transaction. Using cash payments of EUR 10 000 or more for goods trading is also subject of the Directive. The Directive also allows the member states to set lower thresholds.
Changes and Challenges
The EU directive introduces promising principles as far as the burdens of financial institutions are concerned. Point (2) of the directive explains the crucial role of financial institutions in the fight against money laundering, but also adds that the regulatory environment should not impose “disproportionate compliance costs” on any company or business. Nevertheless, the unconcealed aim of the directive is to reinforce “the risk assessment obligation for banks, lawyers, and accountants;” to set “clear transparency requirements about beneficial ownership for companies;” and to strengthen “the sanctioning powers of competent authorities” – as it turns out not only from the directive itself, but the related press releases as well. This mainly manifests itself in changes in customer due diligence (CDD) rules, standardized monitoring thresholds, central state register of beneficial owners, and a risk-based approach in general.
Customer Due Diligence and Suspicious Activity Report
In accordance with the new directive, banks should apply CDD measures when a new business relationship is established, and when an occasional transaction or related transactions amount to €15 000 or more, there is a transfer of founds exceeding €1000. Regardless of the threshold, CDD measures are also required when suspicion of money laundering or terrorist financing emerges, or when there are any doubts about the reliability of the previous CDD. Additional CDD measures are required from credit institutions on beneficiaries of life insurance and other investment-related insurance policies.
For CDD the customer’s identity shall be verified based on documents or any other reliable, independent source. Additionally, the ownership and the control structure of the customer also needs to be clarified, and the beneficial owner’s identity shall be checked and confirmed in case of legal persons, trusts, companies, and foundations. To ensure the flowless verification of beneficial ownership, member states shall hold information on beneficial ownership in a central register that is accessible for financial institutions for CDD measures.
Due to the risk-based approach of the Directive, in certain cases enhanced customer due diligence measures are also required from financial institutions. Higher risk-assessment is primarily related to third country institutions, natural persons or legal entities and politically exposed persons.
The Directive also encourages and requires financial institutions and their employees to file a suspicious activity report to the relevant financial intelligence unit. However, this article leaves plenty of room for interpretation for the member states.
Software Solutions and Data Sharing
The foregoing discussion suggests that compliance obligations haven’t been eased by the Directive. Thus, one question prevails: how can “disproportionate compliance costs” be avoided, while still adopting the highest standard of compliance? The answer in short is encouraging advanced software solutions and data sharing.
Point (19) of the Directive states that “new technologies provide time-effective and cost-effective solutions to businesses and to customers and should therefore be taken into account when evaluating risk. The competent authorities and obliged entities should be proactive in combating new and innovative ways of money laundering.” Even without the regulatory promotion of innovative software solutions, it is easy to see that conducting effective customer due diligence, mitigating AML risk, and monitoring suspicious activities are hardly possible without a robust technological system in place.
To avoid repeated customer identification procedures, the Directive also allows banks and other entities subject to the Directive to use shared data for customer identification if the identification has been conducted by another institution. It is important to note that data sharing is presented not only as a convenience, but also as an obligation. To be able to respond swiftly to enquiries from financial intelligence units, institutions are expected to ensure a safe yet rapid channel for data sharing.
Privacy and Security
This is not the only instance, where the Directive mentions data security and privacy as a top priority. While protection of customer data has always been important in the banking sector, the identity of the reporting individuals also needs special protection as even lives can be at stake. To store and share sensitive data in a way that resist cyber-attacks necessitates a solid software system. It is easy to be the prey of the hackers if there is any weak spot within the system, as it is shown by the unfortunate case of Italian UniCredit, where the accounts of approximately 400,000 customers were hacked. Inadequate measures taken to secure data may have legal consequences and will weaken the reputation of any bank or credit institution without doubt. Proper software-aided compliance is indispensable to prevent this from happening.
From Regulation to Compliance: The U.S. AML-Labyrinth