Questions about the regulatory regime related to the 4^th and 5^thEU Anti-Money Laundering (AML) directives are among the most frequent ones we have been getting this quarter.
There can be no question that businesses are responding to increased regulations and in turn, driving demand for anti-money laundering technology to support compliance activities. These regulatory adjustments strengthen the need for transparency in financial transactions. All financial institutions must therefore be fully prepared to face these new challenges.

The 4th and the 5th EU AML Directives

The EU’s recent anti-money laundering efforts have focused on combatting money laundering from criminal activities and countering the financing of terrorist activities. The the 4th AML Directive (DIRECTIVE (EU) 2015/849) was issued in May 2015. This directive had a two-year window for implementation, so Member States must be compliant by 26 June 2017. A 5^th Directive has since been issued, containing some additional amendments.

The 4th Directive covers a number of key areas, set out below

Risk-based approach

The risk-based approach involves the assessment of risks across all levels. Risk assessment is conducted at a European level by the Commission, and the result feeds into national risk assessments.

All Member States are required to show evidence that they have taken steps to identify, assess, understand, manage and mitigate the risks of money laundering and terrorist financing. The results of their risk assessments are shared with other Member States, the Commission, EBA, EIOPA, and ESMA.  Member States have to document their risk assessments and should have in place internal policies, controls, and procedures to manage the risks of money laundering and terrorist financing. This, by and large, means that they require the relevant entities within the states, including banks and other financial institutions, to demonstrate that they have done the necessary work.

Ultimate Beneficial Owners (UBOs)

This requirement obliges entities to develop processes to enable them to identify anyone who exercises ownership or control over them. This enables police to find criminals who wish to hide their identity behind a corporate structure. All corporate and legal entities incorporated within Member States are therefore required to hold adequate, correct and up-to-date information on their owners (i.e. company name, address and proof of incorporation, for example). This information must be held in a central register by the Member State, and can be accessed by competent authorities, Financial Intelligence Units (FIUs) and credit and financial institutions as well as “any person or organization that can demonstrate a legitimate interest”.  ‘Legitimate interest’ must take into account international law on data protection and the right to privacy. This requires organizations to find a balance between addressing money laundering risks and protecting personal data.

Customer Due Diligence (CDD)

Customer due diligence is a process through which organizations identify, verify, and understand their customers. It should be applied in specific circumstances, including:

• For people trading in goods, when carrying out transactions amounting to EUR 10.000 or more which appear to be linked (regardless of whether the transaction is carried out in a single operation or not).
• When there are doubts about the reliability of previously obtained customer identification and verification data.
• When entering into a business relationship.
• When there is any suspicion of money laundering or terrorist financing.

Organizations need to check and verify the customer’s identity, based on documents, data or any other relevant information which can be found from a reliable and autonomous source. For companies, they need to identify the beneficial owner and verify their identity, and assess and monitor the business relationship on an ongoing basis.

Politically Exposed Persons (PEPs)

This term is defined as anyone with “prominent public functions”, including heads of State, heads of government, ministers and deputy or assistant ministers.

Organizations are required to create a risk management system to identify potential PEPs and take measures when entering into a business relationship. These steps include obtaining senior management approval, identifying the source of wealth and ongoing monitoring of the relationship. These steps are also required for family members of PEPs, and the status lasts for at least 12 months after the person has stepped down from the position in question.

Gambling sector and tax crimes

The 4th AML Directive also covers tax crimes and providers of gambling services, as these are a key target for money laundering activity. Casinos and similar organizations are required to apply customer due diligence measures for any transactions amounting to € 2.000 or more, upon the collection of winnings, the wagering of a stake, or both.

What should you do?

My next update will cover the amendments to the 4^th Directive introduced by the 5^th Directive, and explain how organizations can take action to manage the requirements of the two directives.

If you are interested in learning more on the increasing importance of Financial Crimes Intelligence Units in Banking download the free Longitude Research Paper “Combating Financial Crime”.