The Anti-Money Laundering and Countering Financing of Terrorism legislative package of the European Union (“EU”), proposed on 20 July 2021 by the European Commission, and approved by the European Parliament plenary this April was published in the Official Journal of the EU on 19 June. The new legislative package introduces significant regulatory changes in connection with the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, both on European and national level.
The legislative package rests on the following legal acts:
- Regulation[1] establishing an Authority for anti-money laundering and countering the financing of terrorism (the “AML Authority”) with supervisory powers, which will coordinate cooperation and exchange of information within the EU;
- Regulation[2] on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AML/CFT Regulation”), by which directly applicable rules and procedures in member states will be introduced;
- New Directive[3], replacing the existing Fourth AML Directive[4], as amended, and supplementing the AML/CFT Regulation.
Authority for Anti-Money Laundering and Countering the Financing of Terrorism
The role and objective of the newly established AML Authority will be to strengthen the Anti-Money Laundering (“AML”) and Countering the Financing of Terrorism (“CFT”) legal framework by harmonizing supervisory practices across financial and non-financial sectors, directly supervising some high-risk and cross-border financial entities and coordinating financial intelligence units (“FIUs”). Located in Frankfurt am Main, Germany, it will function as a decentralized EU regulatory agency overseeing the AML/CFT system, including the non-financial sector.
Key responsibilities and respective powers of the AML Authority
In relation to the regulatory environment the AML Authority shall aim at strengthening the cooperation and information exchange between obliged entities, supervisors and supervisory authorities and non-AML/CFT authorities. It will be responsible for collecting and analyzing information on the application of AML/CFT rules, as well as the establishment of a central AML/CFT database containing any relevant data for supervisory activities with access for competent national authorities and bodies on a need-to-know and confidential basis. The AML Authority will also monitor developments and assess threats, vulnerabilities, and risks related to money laundering and terrorism financing, as it can issue clarifications and Q&A memoranda and provide trainings to raise awareness of and address these risks. For the purposes of carrying out these tasks the AML Authority shall have the power to develop regulatory technical standards, issue guidelines and recommendations, and provide opinions to the European Parliament, the EU Council, and the EU Commission on all issues related to its area of competence.
In relation to obliged entities the AML Authority’s main task is to ensure regulatory compliance. In general, it is envisaged that it will have supervisory and investigative functions with respect to selected obliged entities, with the ability to participate in group-wide supervision, and in particular in AML/CFT supervisory colleges. It will have the power to impose pecuniary sanctions, including periodic penalty payments, require financial supervisors to make use of their powers in the area of AML/CFT, issue binding decisions addressed to selected obliged entities.
The administrative measures in the AML Authority’s competence for non-compliance with the decisions taken include issuance of orders and recommendations, as well as public statements identifying a natural or legal person in breach of the AML/CFT rules. It will also be capable to interfere in entities’ activities by restrictions or limitation of business, operations or network of institutions comprising an obliged entity, require the divestment of activities, changes in governance structure or proposing withdrawal or suspension of an authorization where applicable.
In relation to supervisors the AML Authority will have to provide AML/CFT assistance and promote high supervisory standards and practices. It shall investigate breaches or non-application of EU law, issue recommendations and warnings, and mediate disagreements on measures for obliged entities. Financial supervisors must notify the AML Authority if an obliged entity’s situation deteriorates rapidly and significantly, and the Authority in turn shall be able to require the submission of information or documents, initiate investigations and address recommendations in cases of systematic supervision failures by a financial supervisor.
In relation to FIUs the AML Authority will have the function to support and improve cooperation between them by promoting common approaches and best practices, preparing and coordinating assessments and analyses of money laundering and terrorism financing threats, as well as resolving disagreements. To enhance consistency and effectiveness, it shall establish a peer review process, and provide specialized training and expertise. The AML Authority will have the power to request non-operational data and analyses from FIUs, collect information and statistics, and issue guidelines and recommendations.
Direct Supervision of Selected Obliged Entities
One of the most important developments of the new legislative package is that the AML Authority will have the power to directly supervise some high-risk entities operating across at least six member states. In this regard, it should develop and maintain AML/CFT benchmarks and a supervisory methodology for classifying entities into risk categories, detailing the approach to their supervision. The AML Authority will periodically assess customers, products, services, transactions, delivery channels, and geographical areas of credit and financial institutions, regardless of their operating method (through infrastructure on the territory concerned or remotely).
Credit institutions and financial institutions, and groups thereof with a high residual risk profile shall qualify as selected obliged entities, with the first selection process starting by 2027. Additionally, the AML Authority will be able to take on direct supervision tasks for non-selected entities in exceptional circumstances at the request of a financial supervisor and conduct all necessary on-site inspections.
New rules on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
One of the main objectives of the AML/CFT Regulation is to harmonize the rules and procedures related to AML/CFT across all member states of the EU. This approach will create a more consistent and effective framework across the EU, reducing discrepancies between national regulations and enhancing cross-border cooperation.
Therefore, the new AML/CFT Regulation sets uniform rules on customer due diligence and beneficial ownership transparency, measures with respect to occasional transactions or business relationships with politically exposed persons, measures to mitigate risks deriving from anonymous instruments, limits to large cash payments, specific measures for individual third-country respondent institutions, prohibition of correspondent relationships with shell institutions, etc.
Obligations with respect to AML/CFT measures
The new legal framework expands the scope of obliged entities, now including all types and categories of crypto-asset service providers under the new MiCA regime, crowdfunding platforms, mortgage and consumer credit intermediaries, investment migration operators assisting third country nationals in obtaining EU residence permit, persons trading in certain high-value goods as well as in precious metals and stones, professional football clubs and football agents.
By virtue of the AML/CFT Regulation obliged entities are required to implement AML/CFT measures and report suspicious activities to FIUs. Specifically, they shall have in place internal policies, procedures, and controls to ensure compliance, take appropriate measures, proportionate to the nature of their business, to identify and assess money laundering and terrorism financing risks they are exposed to, including the risks of non-implementation and evasion of targeted financial sanctions. Obliged entities must also ensure their relevant employees, agents, and distributors are aware of the regulatory requirements and internal policies, including data processing for the purposes of AML/CFT. These requirements shall apply to all branches and subsidiaries of the obliged entity, both within member states and in third countries. In addition, entities wishing to carry out activities within the territory of another Member State for the first time must notify their home state supervisors.
The AML/CFT Regulation introduces special rules for the obliged entities to outsource to third parties tasks related to the measures for combating money laundering and terrorism financing.
Customer due diligence
The rules for customer due diligence are now harmonized by the AML/CFT Regulation, thus creating a single framework with more detailed and harmonized rules and information needed to identify beneficial owners by obliged entities, as they must make the information collected available to competent authorities upon request and without delay. Obliged entities, inter alia, are responsible to carry out identification of the purpose and intended nature of a business relationship or one-off transaction, ongoing monitoring of the business relationship and transactions performed by customers and to update customer information regularly. The new AML/CFT Regulation also includes disclosure requirements for nominee shareholders and nominee directors.
Another requirement is that obliged entities should report to the central registers any discrepancies they find between the information available in the central registers and the information they collect. There are certain exceptions in this regard, such as cases of minor discrepancies, outdated data, when there are no grounds to suspect intention of concealing information, or in relation to information which independent legal professionals, auditors, accountants, etc. receive from, or obtain on, a client. It is worth mentioning that the Bulgarian legislation already contains such requirements (entering into force as of 16 July 2024) for the obliged entities to report to the Bulgarian Registry Agency any discrepancy they identified during their checks, when such discrepancies are related to the data available in the Bulgarian Commercial Register and Register of Non-profit Legal Entities for the ultimate beneficial owners of the relevant entities.
For the purposes of dealing with money laundering and terrorism financing threats from outside the EU, non-EU legal entities also need to register their beneficial ownership in the member states’ central registers when they have certain links with the EU. Moreover, third countries with significant strategic deficiencies and with compliance weaknesses in their national AML/CFT regimes shall be identified by the EU Commission and designated as “high-risk third countries”, as a result of which obliged entities will have to apply enhanced due diligence measures with respect to the business relationships or one-off transactions involving natural or legal persons from that third country.
On the other hand, similar to what is provided in the current AML/CFT regime, where the business relationship or transaction presents a low degree of risk, obliged entities may apply simplified due diligence measures, such as verifying the identity of the customer and the beneficial owner after the establishment of the business relationship, reducing the frequency of customer identification updates, the amount of information collected and the frequency or degree of scrutiny of transactions.
Under certain conditions obliged entities may rely on other obligated entities, whether located in a Member State or in a third country, to meet the customer due diligence requirements.
Entry into force and application
The newly approved legislative acts interact cohesively, complementing each other to establish a sustainable legal framework. This framework includes directly applicable provisions where possible and binding AML/CFT measures for member states where direct rules are not feasible or justified.
The implementation of the new rules will be gradual, with the full set expected to be in place by mid-2027. However, some provisions will take longer for the private sector, member states, and the EU Commission to implement and will be introduced at a later stage.
The provisions for establishing the AML Authority, as well as those concerning the implementation of certain of its tasks, apply as of 1 July with the aim for the AML Authority to begin most of its activities by mid-2025.
[1] Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
[2] Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
[3] Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive(EU) 2019/1937, and amending and repealing Directive (EU) 2015/849
[4] Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC
By Margarita Zhivkova, Associate, Eversheds Sutherland