INSIGHTS
February 15,
2017
Anticipating the Fifth EU AML Directive
Following the approval of the Fourth European Union (EU) Anti-Money Laundering (AML)
Directive (4AMLD) in 2015, the “obliged entities” in scope have been subject to an everchanging regulatory landscape as further amendments to 4AMLD were proposed in 2016.
Because of the release of the Panama Papers, 1 a range of terror attacks in Europe and the
EU Parliament’s desire to align with the Financial Action Task Force (FATF) AML
recommendations, the approval for amendments to 4AMLD are still underway. 2 Additional
parliamentary meetings and various counterproposals have contributed to further
discussion and revision of the 4AMLD amendments, in an effort to adapt to new and
emerging threats facing the existing AML framework. The proposed amendments to
4AMLD are now being addressed in what is referred to as the Fifth EU AML Directive
(5AMLD, or “Compromise Text”) and remain under review.
As it stands, the agreed-on 4AMLD text and the transposition date of June 26, 2017, will
remain, but financial institutions should anticipate further regulatory change to come from
the adoption of the 5AMLD. The directive will enter into force three days following its
publication in the Official Journal of the European Union and must be transposed within six
months of the same publication. It is anticipated that the EU Parliament’s adoption of the
amendments will occur in June 2017. 3
Key Requirements of the 5AMLD
The 5AMLD proposes five main requirements that impact financial institutions:
1
The International Consortium of Investigative Journalists (ICJI): panamapapers.icij.org.
2
The FATF Recommendations: www.fatf-gafi.org/publications/fatfrecommendations/documents/fatfrecommendations.html.
3 Further detail of the 4th EU AML Directive is provided in the Protiviti Flash Report, The Fourth European Union
Anti-Money Laundering Directive, published in 2015: https://www.protiviti.com/US-en/insights/fourtheuropean-union-anti-money-laundering-directive.
Internal Audit, Risk, Business & Technology Consulting
1) Extending the Directive Scope to include Virtual Currencies
The 4AMLD has defined “obliged entities” as financial institutions, accountants, tax
advisors, lawyers, trust providers and estate/letting agents with whom the trustees form a
business relationship.
The 5AMLD has further broadened the scope of obliged entities to include virtual
currencies, anonymous prepaid cards and other, digital currencies such as bitcoin
exchanges and wallet services to the list of activities carrying the risk of money laundering
and terrorist financing (ML/TF). The 5AMLD better defines “virtual currencies” under EU
law, and includes the requirement to adopt this legal definition in AML legislation across
all member states. 4
Under the proposed 5AMLD, providers engaged in exchange services between virtual and
fiat 5 currencies and custodian wallet providers will be required to conduct ongoing
monitoring of relationships and report suspicious activity to government entities. While
regulators may not be focused on such currencies at present, increased scrutiny is expected
on these operations and the structures of such firms. Discussions have begun on
developing a central database for registering users’ identities and wallet addresses, in
addition to potential self-declaration forms for virtual currency users. This suggests that
future implications and obligations may become even more far-reaching, as transparency
and anonymity become a focus for these payment technologies.
How to Prepare
Virtual currency exchanges and wallet providers will need to become accustomed to the
new regulatory framework set out in the directive to identify and mitigate ML/TF risks
posed by virtual currency payment products and services. Providers of exchange services in
virtual and fiat currencies must develop and implement policies and effective mechanisms
to combat ML/TF risks in preparation for compliance with 5AMLD requirements.
4 A virtual currency is defined as: “A digital representation of value that can be digitally transferred, stored or
traded and is accepted by natural or legal persons as a medium of exchange, but does not have legal tender status
and which is not funds as defined in points (25) of Article 4 of the Directive 2015/2366/EC nor monetary value
stored on instruments exempted as specified in Article 3(k) and 3(l) of that Directive.” (Source: Council of the
European Union, Fifth Compromise Text 2016/0208 (COD), Dec. 19, 2016:
http://data.consilium.europa.eu/doc/document/ST-15605-2016-INIT/en/pdf).
5
Fiat currencies are defined as: “coins, banknotes and electronic money of a country that is designated as a legal
tender and is accepted as a medium of exchange in the issuing country” (Source: Council of the European Union,
Fifth Compromise Text 2016/0208 (COD), January 25, 2017: http://data.consilium.europa.eu/doc/document/ST15605-2016-INIT/en/pdf).
protiviti.com
2
Separately, the 4AMLD requires currency exchange and cheque cashing offices, and trust or
company service providers to be licensed or registered, and providers of gambling services
to be regulated. The 5AMLD underscores the same requirements, and goes further to
require EU Member States to ensure providers of exchange services between virtual
currencies, fiat currencies and custodian wallet providers are registered.
2) Addressing the Issue of Anonymity in Relation to Prepaid Cards
The proposed updates in 5AMLD related to use of prepaid cards aim to address the issue of
anonymity associated with such payment mechanisms. EU member states will be required
to identify the customer in the case of remote payment transactions where the amount
paid exceeds 50 euros.
After 36 months from 5AMLD being entered into force, identification shall be applied to all
remote payment transactions.
In the event that a risk assessment classifies a customer as low risk, member states may
allow obliged entities to be exempt from certain customer due diligence measures with
respect to electronic money where a number of risk-mitigating conditions are met. Such
conditions include, but are not limited to:
Maximum stored electronically amount is 150 euros (in the 4AMLD this threshold
was set at 250 euros)
Payment instrument is not reloadable and has a monthly maximum payment
transaction limit of 150 euros (for use only in that member state)
Sole use of the payment instrument is for the purchase goods or services
Must not be funded with anonymous electronic money.
In addition, a provision has been made for anonymous prepaid cards issued outside the EU
in third countries. The 5AMLD outlines new requirements for member states to restrict the
use of prepaid cards issued by third countries only to those third countries deemed to be
sufficiently compliant with requirements set out in current EU AML legislation.
How to Prepare
Obliged entities will be required to perform checks on prepaid card transactions in
accordance with the revised thresholds, and they will need to be able to first identity, and
protiviti.com
3
then refuse, payments made with anonymous prepaid cards from countries deemed to have
insufficient AML standards. Systems and controls should be tested to ensure that
thresholds can be adjusted to meet the requirements of the 4AMLD and the 5AMLD as
required. An operational impact assessment should be completed to create or revise
existing procedures, resources, governance, system requirements, etc., to meet these
proposed obligations.
3) Beneficial Ownership Registers
A key change adopted through the 4AMLD was the requirement for beneficial ownership
registers, whereby member states will be required to obtain and hold adequate, accurate
and current information on corporate and other legal entities, including trusts and similar
legal arrangements, incorporated or administered within their respective member state.
The 5AMLD further clarifies requirements and timing for the implementation of such
registers. Member states must be compliant with register requirements within 18 months
of the 5AMLD implementation date. Registers must be interconnected to the European
central platform within 18 months of its implementation in accordance with the technical
specifications and procedures set out in Article 4C of Directive 2009/101/EC. 6
Public access will be granted for those individuals or organisations that demonstrate a
legitimate interest in the beneficial ownership information. EU member states may choose
to broaden access in their national laws (e.g. public access for transparency); however,
access to register information must be granted within 18 months of implementation.
How to Prepare
Obliged entities should assess the information available in know your customer (KYC)
records and begin the information-gathering processes to mitigate any gaps in the
beneficial ownership data. Where there may be gaps or new requirements to obtain
beneficial ownership information, KYC periodic reviews should be used as an opportunity
to obtain or confirm existing beneficial ownership information so the necessary
information is available when it must be transferred into relevant beneficial ownership
registers.
Further information on the requirements and establishment of the European Central Platform can be found in
“Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012”, Official Journal of the
European Union: http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32012L0017.
6
protiviti.com
4
A formalised process to obtain, record and update the beneficial ownership information
required for the register should be developed. Technical requirements, including access
controls and operational challenges should also be considered and tested in preparation for
compliance with 5AMLD requirements.
4) Enhancing cooperation and information sharing among EU financial
intelligence units (FIUs)
In order to enhance and simplify access to information on the identity of holders of bank
and payment accounts, the 5AMLD requires member states to put centralised automated
mechanisms in place at the national level to identify payment accounts and bank accounts
held by a credit institution, thereby developing a central source to identify all bank
accounts for an individual person. Note that the 5AMLD leaves it up to each member state
to ascertain and develop a central registry or data retrieval systems to comply. The
proposed 5AMLD defines certain information that must be searchable and accessible in a
timely manner through such registries, which includes, but is not limited to, the following:
Account holder: name and unique identification number, or other identification
data deemed acceptable under national provisions per Article 13
Beneficial owner: name and unique identification number, or other identification
data deemed acceptable under national provisions per Article 13
Bank or payment account: IBAN number and account open and close dates, as
applicable.
Under the 5AMLD, member states may consider requiring other information deemed
essential for FIUs and competent authorities to fulfil their obligations under this directive
to be accessible and searchable through the centralised mechanisms. Currently, limitations
exist in certain member states, requiring the submission of a suspicious transaction report
or identification of a predicate offence to be made prior to any request for information. The
5AMLD further enhances the powers of the EU FIUs, as they will be permitted to request
information from any obliged entity. The proposed amendments in 5AMLD aim to extend
the scope for FIUs to make information more easily accessible and align the approach for
FIUs with international standards and best practices.
protiviti.com
5
How to Prepare
As member state FIUs will be permitted to request information from any obliged entity,
financial institutions should ensure that effective mechanisms are in place to coordinate
information internally and enables timely responses to requests from FIUs. In the handling
of these information requests, resources may need to be trained on the applicable data
privacy laws, utilisation of beneficial ownership and bank account data in the central
registers and new processes to provide information to FIUs.
5) Developing a Consistent EU Approach Toward High-Risk Third
Countries
The 5AMLD will require member states to apply a specific list of enhanced due diligence
(EDD) measures for transactions involving entities on a list of high-risk third countries
defined by the European Commission. This proposal outlines the minimum EDD measures
obliged entities must apply, which will provide for a formalised approach and alignment of
such EDD measures with the list of actions drawn up by the FATF. This will ultimately
lessen differences in regulatory requirements between member states, minimizing cases
where a select number of EU countries commercially benefit relative to others adopting
more stringent EDD requirements. Critically, this aims to reduce the ability of terrorists to
exploit weaknesses in these measures.
How to Prepare
Obliged entities should review and prepare to adopt the EU list of money laundering highrisk third countries into existing KYC processes. Risk rating methodologies may require
updating and may necessitate assessment and modification of KYC systems and
procedures, to fully address the EDD requirements set out in the 5AMLD for all
transactions involving high-risk third countries.
Next Steps
The amendments proposed in the 5AMLD are set out with an overarching goal towards a
consistent and harmonised approach across EU member states in mitigating ML and TF
within the financial system. Simultaneously, the proposed amendments will further align
the EU’s AML and CTF laws to the FATF AML recommendations, emphasising a move
towards a more global approach to tackling financial crime.
protiviti.com
6
It is evident from the ongoing revisions and various iterations of the amendments that the
5AMLD has proved to be more controversial than the 4AMLD, particularly with prepaid
cards and virtual currencies being more tightly regulated and uncertainty regarding the
implementation of centralised registers.
The 5AMLD is under review for any further counterproposal or approval between the EU
Parliament and the European Council. Discussions were scheduled for January 25, 2017,
but have since been postponed to June 2017. Given the impending transposition date of
June 26, 2017, for 4AMLD requirements to be adopted into national law, obliged entities
should be poised to implement the requirements proposed in the 5AMLD, as the window
between approval, publication into the Official Journal of the European Union, and
transposition of 5AMLD, is a rather ambitious and short six months.
protiviti.com
7
About Protiviti
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a
tailored approach and unparalleled collaboration to help leaders confidently face the future.
Protiviti and our independently owned Member Firms provide consulting solutions in
finance, technology, operations, data, analytics, governance, risk and internal audit to our
clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global
500® companies. We also work with smaller, growing companies, including those looking
to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Contacts
Carol Beaumier
Managing Director
+1.212.603.8337
[email protected]
Bernadine Reese
Managing Director
+44.207.0247.589
[email protected]
Matt Taylor
Managing Director
+44.207.0247.517
[email protected]
Acknowledgments
Thank you to the following Protiviti consulting professionals who contributed to this
report:
Erin Gavin
Helen Van Riel
James Fitzgerald
Katrina Nardiello
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services.