26th March 2021
5AMLD Implementation - where are we now?
5AMLD Implementation Remains Patchy
The EU’s 5th Anti-Money Laundering Directive (5AMLD) was scheduled for translation into national law by 10 January 2020. Just over a year later, and after another update to the EU money laundering directive under the 6MLD, several countries have yet to fully adopt the 5AMLD into local legislation. Which begs the question: with so uncertain a regulatory environment and ongoing variations at a national level, what should firms do to respond? This article provides a high-level overview of the 5AMLD, a stocktake on implementation by different EU countries, and an update on how the 5AMLD has been adopted across different policy areas. It also explores what the current situation means for firms.
5AMLD: A Recap
The 5AMLD was adopted in May 2018 to update the existing Anti-Money Laundering (AML) regulations to improve the existing framework and Countering the Financing of Terrorism (CFT) in a more effective manner. This was against a backdrop of a slew of terrorist attacks on the continent between 2016 and 2017, the rise of crypto, and the aftermath of the Panama Papers which exposed the offshore holdings of many politicians in the European Union (EU). The EU also needed to adopt updated guidance issued by the global AML/CFT standard-setter, the Financial Action Task Force (FATF). As a consequence, 5AMLD introduced numerous new measures to prevent the use of the European financial system for illicit purposes. Several of these are included below.
New Obligated Entities in Scope
AML/CFT requirements were extended to auditors; external advisors and tax advisors; estate agents; fiat to crypto exchange providers; custodian wallet providers; and galleries, auction houses, and intermediaries in free ports engaging in the trade of art valued higher than EUR10,000. These firms were required to comply with all applicable AML/CFT laws and regulations.
High-Risk Third Countries
The EU made a commitment to publish a list of high-risk third countries – ie, countries that were not members of the EU – and 5AMLD provided specific Enhanced Due Diligence (EDD) measures for clients and their subsidiaries based in such countries. These included obtaining additional information on customers and UBOs, including the nature of the business relationship, evidence of source of funds and source of wealth, and the reason for the intended or performed transactions. It also required senior management approval within obligated entities to commence or continue the business relationship. With regards to subsidiaries of clients based in high-risk third countries, additional measures included prohibiting subsidiaries from holding an account and requiring increased assurance testing or external audit for branches and subsidiaries. There were also changes to EDD requirements for correspondent banking relationships, where one bank provides services to another – the ‘respondent’ – in a country, the latter does not have a presence – often the case for European banks working with respondent institutions in the emerging markets. Under 5AMLD, respondents in high-risk third countries became subject to EDD review by their correspondents in the EU, with the expectation that relationships should be amended or terminated if risks could not be mitigated.
Anonymous Financial Instruments
Anonymous accounts, passbooks, or safe deposit boxes were prohibited by the 5AMLD. A lower monthly transaction limit of EUR150 (down from EUR250) was also introduced for anonymous prepaid cards, necessitating due diligence requirements on holders of cards loaded with funds above that level. Online payment limits of EUR50 were also introduced.
Electronic Identification and Verification (IDV)
4AMLD had previously allowed for remote IDV, but 5AMLD also specifically sanctioned the use of electronic platforms, where they were regulated, recognised, approved, or accepted by the relevant national authorities. Firms could therefore now adopt electronic verification upon evidence that national eID programmes were in place, and as long as they were using an approved vendor.
Previously, under 4AMLD, businesses were required to conduct EDD on transactions that had ‘no apparent legal or economic purpose’, which were either complex and unusually large or demonstrated unusual patterns. Under 5AMLD, however, more grounds for EDD were provided, meaning that enhanced checks needed to be conducted if any one condition – high complexity, unusual size, unusual pattern, or no apparent legal or economic purpose – could be identified.
Politically Exposed Persons (PEPs) Lists
Countries were required to issue a national functional list of PEPs, not the PEP names themselves. This would hypothetically make it easier for firms to identify high-ranking PEPs, as opposed to public officials that represent a lower risk of money laundering.
Beneficial Ownership Registries
Under 4AMLD, countries were obligated to set up central public registries containing information on the name, month, and year of birth and country of residence of the Ultimate Beneficial Owners (e.g. those owning 25% or more of shares) of companies. 5AMLD required that these lists should be publicly accessible and interconnected at a national level to aid international cooperation, and should also be extended to cover trusts and similar legal arrangements. Companies were required to check these registers during their own Client Due Diligence (CDD) processes and notify the central registry of any discrepancies identified with beneficial ownership information provided to them by the client.
National Implementation Challenges
While many countries have fully translated and implemented these measures, performance remains patchy and there are several countries that have failed to do so, leading the European Commission (EC), the EU’s bureaucracy, to initiate public proceedings against those countries for non-compliance. While 70% of countries have implemented the 5AMLD, a 30% gap remains. Countries that have partially adopted the 5AMLD include Belgium, Czech Republic, Hungary, Ireland, Netherlands, Poland, and Spain. Only Cyprus has been identified as not implementing any measures, although they recently announced the launch of their beneficial ownership registry later this year. The EU has launched “infringement procedures” against 22 countries for failing to or delaying “the notification of national transposition measures or their incompleteness.” These include Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Estonia, France, Ireland, Greece, Hungary, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
If infringement proceedings do not lead to action, countries can ultimately be referred to the EU Court of Justice (ECJ) and fined. The following countries have already been referred to the ECJ for failing to implement 4AMLD, which had a deadline of May 2018: Austria was referred due to its betting and gambling legislation, Belgium due to weak mechanisms available for Financial Intelligence Units (FIUs) to exchange information, and the Netherlands due to ongoing deficiencies around beneficial ownership information. Romania has been fined EUR3 million and Ireland EUR 2 million for failing to transpose the 4AMLD correctly. Business Implementation Challenges
Where the 5AMLD has been adopted successfully, the question remains: what does implementation actually look like at a business level? This section looks at several key areas to understand the complexities that firms must navigate when carrying out business in the EU, and remaining AML/CFT compliant.
High-Risk Third Countries
The implementation of requirements around high-risk third countries got off to a difficult start. The EU defines high-risk third countries as those that pose a threat to the EU’s financial system due to deficient AML/CFT regimes. The EU initially published a list in 2019, which was subject to significant criticism from some of those on the list, including Saudi Arabia, and the US, who objected to the blacklisting of US territories. This led the list to be replaced with a new list published in 2020, based on a different methodology. This new methodology includes a process for increasing transparency in its listing process, including consultation with countries on initial findings and a timeframe for countries to improve AML/CFT framework before listing. Given the delays in publication of the list, it was difficult for firms to apply the ED requirements under the 5AMLD, which the EU now expects to be in place.
|High-Risk 3rd Countries|
Democratic People’s Republic of Korea (DPRK)
Trinidad and Tobago
Entities operating in the EU must ensure that the EU’s list is incorporated into their AML and CDD and Know Your Customer (KYC) policies and processes. This includes updating high-risk indicators used to calculate customer risk ratings, which subsequently drive on-going due to diligence and monitoring requirements, and tailoring transaction monitoring systems to identify suspicious transactions linked to higher-risk countries.
The extension of AML/CFT requirements to Virtual Assets (VAs) has been varied and somewhat contentious. For example, while the 5AMLD only calls for regulation of crypto to fiat exchanges, some countries have opted to go further and regulate crypto to crypto exchanges as well. Numerous firms have cited the compliance burden of 5AMLD as a reason for shutting operations or relocating to jurisdictions with no or light regulation. In Estonia, firms have experienced what has been described as the ‘great crypto purge’. Initially seen as a progressive and friendly market for the crypto industry, public reporting indicates that the Estonian FIU has revoked over 1,000 licenses since enacting 5AMLD inspired AML/CFT legislation, roughly 70% of virtual currency firms operating in the country.
Across Europe, Virtual Assets Service Providers (VASPs) must register for AML/CFT supervision, however, what types of business this includes varies by state. In some countries, registration is with the financial regulator or central bank, and in other countries, registration is with the FIU. And while some countries have allowed VASPs to operate in their markets without being physically present in those countries, others have introduced the requirement for providers to have operations in-country and register with domestic company registries.
VASPs looking to enter the European market, therefore, need to understand particular national licensing requirements, as well as whether they must establish offices to offer services to local customers. VA firms will have to ensure that they have AML/CFT programmes in place that adequately manage their risks, and can provide evidence to demonstrate that. This will include risk assessments, CDD/KYC processes, screening, blockchain transaction monitoring, training, and reporting. As the crypto industry is relatively nascent, the level of in-house AML/CFT expertise may vary widely. For firms looking to on-board VASPsas their customers, they too will need to understand how their client operates. This includes knowing the licensing requirements of their clients, any restrictions on processing crypto-related payments by financial services firms applied by local regulators, and assessing the AML/CFT frameworks, as well as the understanding of their clients’ inherent financial crime risks, and the actions clients have taken to manage them.
Beneficial Ownership Registries
Similar to other requirements, the creation of beneficial ownership registers has been inconsistent. A report by Global Witness highlighted that by the implementation date, only 5 countries (including the UK at that time) had fully and properly implemented a public beneficial ownership registry available to the public, with others partially implementing the requirements. Even where registries were in place, there were issues, including limited data. A recent investigation into Luxembourg’s corporate registry, dubbed ‘OpenLux’, revealed that over 10,000 entries featured foreign companies where the UBO was located in a secrecy jurisdiction and that beneficial ownership declarations had not been forthcoming by 80% of private investment funds. Civil society organizations have flagged that in this and other instances, the quality of data varies, and registers do not have the powers to verify the information submitted by companies and ensure that the data remains accurate and up-to-date.
Further issues have included barriers to access, through countries introducing paywalls or making the right to search dependent on holding specific citizenships, types of personal documentation, or the possession of the right tax number for the company. Some jurisdictions have also put in place arrangements so that companies are alerted when they have been the subject of a search, which is a potential disincentive to those who might be concerned about their interest being flagged.
In addition to being obliged to submit beneficial ownership information in a timely manner, firms operating in the EU must verify the identity of the beneficial owners in line with local requirements and thresholds. Firms have the opportunity to save costs and access national registries to validate the information, but the apparent benefit comes with uncertainty about the quality or completeness of the information, making it essential to work with a proven data vendor to obtain comfort that optimal CDD/KYC is taking place. The 5AMLD also brings the additional compliance burden that individual businesses must notify the registrar of any discrepancies that they find.
Functional PEP Lists
While the issue of functional PEP lists by member states under the 5AMLD was welcomed by the industry, the competent authority responsible for the list varies from country to country, and finding them can often be very challenging for the private sector. For example, in France, the list of functions covered by the definition of PEPs is contained in an order issued by the Minister of the Economy, whereas in other countries, it might be issued by national regulators or other government departments. While there is an expectation that the EU will eventually release a consolidated EU-level list, little public information on its availability is currently available. Despite the efforts to help private companies, many of these efforts have so far created more complications and administrative burdens for firms as they seek to identify PEPs in their customer book.
Firms, therefore, need a robust strategy for detecting PEPs. One option is to carry out the research in-house and maintain up-to-date functional PEP lists (which may or may not change) – tasks that can be timing consuming and costly. Another option is to work with data providers who maintain carefully curated PEP lists which can be used to more efficiently screen potential clients. Either way, firms must take adequate steps to comply with the need to carry out EDD, and despite some of the good intentions that have shaped 5AMLD, those responsibilities remain very much on private sector shoulders.