The fourth Anti-Money Laundering Directive—a risk-based approach
The EU’s fourth Anti-Money Laundering Directive (EU) 2015/849 (4AMLD) comes into force on 26 June 2017. Partner Peter Binning says the Directive places greater emphasis on a risk-based approach to prevent money laundering and terrorist financing at all levels.
The 4AMLD is still in draft form—are you expecting any changes before it is introduced later this month?
The Directive was enacted on 25 June 2015, giving Member States two years to transpose the Directive into national legislation. This will be done in the UK by way of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). This Regulation also implements the Fund Transfer Regulation (EU) 2015/847 (FTR) that accompanies the Directive.
MLR 2017 aims to meet the international standards set by the Financial Action Task Force (FATF) and will come into force on 26 June 2017 in line with Article 67 of the 4AMLD, and Article 27 of the FTR. Financial Conduct Authority (FCA) guidance on the treatment of politically exposed persons (PEPs) will also be published in its final form by this date.
I consider it unlikely that there will be many significant changes to MLR 2017 from their draft version. The implementation has been on a relatively short timeframe, with the government publishing its draft version on 15 March 2017 with only a one month window for consultation.
However, it should be noted that amendments to 4AMLD were proposed following the Paris terrorist attack and the Panama Papers. These amendments remain under review and the UK will consult separately on any amended Directive when it has been published in the Official Journal of the European Union and has come into force.
What are the key changes?
The Directive places greater emphasis on a risk-based approach to prevent money laundering and terrorist financing at all levels.
It extends anti-money laundering (AML) and counter-terrorist financing (CTF) rules to all gambling services—not just casinos—unless the Member State can show their non-casino sector is low risk.
Written risk assessment
Firms in the regulated sector must take appropriate steps to assess risk of money laundering and terrorist financing and this must be documented and available to their supervisory authority on request. Organisations outside the regulated sector will still be expected to have regard to the standards expected when assessing their own compliance.
Corporates and legal entities will need to maintain current information on their beneficial ownership, and provide this to a central government register. The register will be accessible by law firms, banks and any other person that can show a ‘legitimate interest’.
HMRC will act as registering authority for all trust and company service providers who are not registered by the FCA. HMRC will maintain a register of beneficial owners of taxable trusts. The ‘Fit and proper’ test will be extended to agents of money service businesses.
Simplified due diligence (SDD)
Automatic SDD is discontinued. Firms will only be able to apply SDD following a robust risk assessment legitimising its use. This also applies to pooled client accounts.
High value dealers
The threshold has been reduced to €10k for customer due diligence (CDD) to be conducted when receiving cash payment for goods.
PEPs has been extended to include domestic individuals. A PEP must continue to be viewed as one for a year after they have left office, after which a risk-based approach must be taken (the FCA are due to finalise guidance on this point).
Firms must keep client information for a maximum period of five years after the end of the business relationship with the client.
Parent and subsidiary companies
Majority owned subsidiaries located in other jurisdictions with less strict AML requirements than those of the Member State must meet the requirements of the UK.
Third party equivalent
Third party equivalent removes the ‘white list’ from the Third Money Laundering Directive 2005/60/EC (3AMLD) which listed countries with equivalent AML procedures to the EU. Instead 4AMLD produces a ‘black list’ of higher risk countries.
The definition will be extended to include all relationships between two financial or credit institutions.
What are the sanctions for breaches?
There are both criminal and civil sanctions available under MLR 2017. Criminal sanctions cover:
• contravention of a relevant requirement
• prejudicing an investigation, and
• making false, misleading or reckless disclosure
HMRC and the FCA have the power to impose appropriate civil penalties where they are satisfied the person has breached a relevant requirement. Civil sanctions include:
• a public statement identifying the natural or legal person and the nature of the breach
• an order requiring the natural or legal person to cease the conduct and not repeat it
• a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other
natural person, held responsible for the breach, from exercising managerial functions in obliged entities
• maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach, where it can be determined, or at least €1m
Will Brexit have any impact on our implementation of the Directive?
I don’t envisage it having an impact on the implementation of the Directive. The UK remains a Member State with all regulatory requirements until the end of Brexit negotiations. Furthermore, 4AMLD stems from recommendations made by FATF, of which the UK is a member, so it is highly beneficial to implement AML policies.
The UK is also a permanent member of the United Nations Security Council, as well as having signed the International Convention for the Suppression of Terrorism 1999 and the UN Convention against Corruption 2003. We are bound to implement strict AML legislation, whether we are in or out of the EU.
Some commentators have said the changes are ‘long overdue’—where have the gaps been up to now?
Under 3AMLD, there was often difficulty in addressing the definition of beneficial ownership and to what extent they needed to be identified. 4AMLD allows Member States to include a wider range of entities in beneficial ownership determination, and sets parameters for dealing with difficulties arising in this process.
Under the previous version, foreign PEPs were treated differently to domestic PEPs. 4AMLD has altered this distinction to bring domestic PEPs under the umbrella of those subject to enhanced customer due diligence (EDD), and requires firms to take a risk-based approach to all.
This latest version also provides greater clarity on certain points, including where senior management approval is needed and the extent to which it can be used and where responsibilities lie.
Are there any provisions that create grey areas or leave future gaps?
The burden of AML regulations is very significant and creates a real personal risk for compliance regulators, because each decision can be very subjective.
Is the Directive in line with other trends in this area—domestically and internationally?
This is in line with domestic trends. For example, under 4AMLD, tax offences are now included as a predicate offence for money laundering for the first time in the EU. However, this is already the case in the UK.
What challenges does the Directive pose for law firms in terms of their own AML practices?
Firms need to train staff on risk-based CDD and ongoing monitoring and on access to the central register of beneficial ownership. The removal of automatic SDD on pooled client accounts proposed in the MLR 2017 consultation is likely to have a significant effect on law firms who often hold client monies in the same accounts.
The Joint Money Laundering Steering Group provided further guidance on situations where it would be appropriate to apply SDD to pooled accounts, while adopting a risk-based approach. The Law Society is also in the process of drafting new AML guidance which will further assist in this area.
What advice should practitioners be giving clients to ensure compliance?
Firms should be advising clients to consider whether or not their approach is suitably risk-based because getting it wrong could lead to criminal or civil sanctions as I described earlier.
Clients will need to look at their current customer base and consider whether any existing customers need to be re-categorised as PEPs in line with the widening under 4AMLD. Practitioners should also be advising senior managers that they need to be aware of the impact of the Directive on their role—for instance situations that will require their approval.
Research by AML specialists says billions are wasted on chasing false leads. How difficult is it to ensure your response is both compliant and proportionate?
The aim of a risk-based approach is to try and achieve proportionate responses to the level of risk posed.
It is clear that the aim of guidance published alongside MLR 2017 is to try and combat elements of disproportionality. For example, the FCA guidance on the treatment of PEPs comes partly in response to an excessively cautious approach being applied by some firms in rejecting business from PEPs, their families and close associates to avoid high compliance costs. However, multiple companies already used a risk-based approach to PEPs and have lowered their compliance costs accordingly.
Where do you see the potential for new threats looking ahead?
Firms will be expected to apply high compliance standards and there will be an emphasis on making examples of poor compliance by robust enforcement action. The rapid increase in threats of cyber-crime and business interruption, including by terrorists, is going to continue to be a major business risk.
Interviewed by Grania Langdon-Down. This interview was originally published in Lexis PSL here.