When the EU’s fourth anti-money laundering directive (AMLD) [directive 2015/849] came into force on June 26, 2015, all compliance officers and supervisory authorities in EU member states started to roll up their sleeves to make sure the necessary changes were made to comply within the customary two-year deadline set out by the Commission for transposition. The first sign that this was going to be a rough ride surfaced when a political commitment was reached for the transposition to be moved forward to the end of 2016 as a response to the hideous terrorist attacks in central Europe in November 2015 and March 2016.
Although this date was clearly unrealistic, particularly in view of the material infrastructural changes required to set up a beneficial owner central register in each and every member state of the union, the political will to react to the atrocities of terrorism in Europe prevailed and domestic policy makers were left with no option but to make sure that the impossible happens. But this was not to be, and to date not one member state has transposed the provisions of the fourth AMLD.
The goalposts, changed once again in July 2016, this time even more radically, when another commission proposal that set out several proposed amendments to the fourth AMLD was issued, stirring controversy not only in terms of timing but also in terms of content. Various commentators suggested that the European Commission was unceremoniously going way too far in its encroachment on the right to privacy and, at the same time, the measures being proposed risked causing the wholesale flight of holding and passive entities, and possibly even trusts, from the union.
As the commission proposal was debated at a number of working party meetings, it slowly started to get a life of its own and morphed into what is now being widely termed the fifth AMLD – a directive that should come into force before the transposition of the fourth AMLD that will amend rather than replace it, so as to widen its scope and strengthen the measures it implements.
The date by which the transposition of the fourth AMLD will need to take place remains unaltered, at least according to the negotiating mandate issued on December 19, 2016, at the end of the Slovak presidency of the council. What is being proposed in the text, that will now be subject to the trilogue meetings between the three main institutions of the EU is that all the measures contemplated in the directive, other than the setting up of the central beneficial ownership registers and the mechanism or repository identifying payment and bank accounts, would need to be implemented through legislative instruments brought into force by that date. The deadline for these measures are set to be postponed to 24 to 36 months from the coming into force of the fifth AMLD.
The extent to which this latest version of the fifth AMLD can be considered to be close to being a final version is still to be seen, and will depend largely on the ability of the Maltese presidency of the Council to broker an agreement between the European Commission and the European Parliament, whose standpoints on some critical issues still appear to differ substantially. It is still largely unclear whether the measures agreed upon in the current text, particularly those relating to transparency of beneficial ownership, will be softened further or whether the position of the hardliners will prevail. Convergence of views will not be easy and one would hope that the end result will not be a vague compromise that gives rise to more uncertainty than clarity.
Our own authorities still have to come forward with a consultation document that might shed some light on the intentions of the legislator. Although a cautious approach might be justified by the fact that certain parts of the text are still subject to discussion, the persons and entities that will be expected to comply with the new rules, presumably within very tight timeframes, are owed some direction and guidance, at least in respect of the provisions that are likely to have a material impact on the way they carry out their business.
One can safely presume that the main laws that will be amended will be the Prevention of Money Laundering Act and the Prevention of Money Laundering and Funding of Terrorism Regulations. Certain provisions in the Companies Act, the Trusts and Trustees Act and the Civil Code will also need to be revised to cater for the registration of beneficial ownership and beneficiary information. Naturally, the fine details as to how the legal requirements are to be applied in practice should find their place in a revised version of the FIAU Implementing Procedures.
Undoubtedly, the main change for all subject persons is the fact that the assessment of risk should now form the basis of every decision, process, policy and procedure on AML/CTF. The word ‘risk’ appears 149 times in the fourth AMLD, compared with 36 times in the third AMLD. In its attempt to further the ambitious task of mandating a complete shift to a risk-based approach, the directive requires states to commission a national risk assessment and the EU to carry out a supranational risk assessment covering the EU internal market. It also directs subject persons to develop risk-based policies and to conduct risk-based customer due diligence (CDD).
A risk assessment by all subject persons of their customers, the geographical areas with which there are connections, the products or services they provide and the channels through which they are approached by clients is now no longer optional. Indeed, subject persons are now required to build their policies and procedures around a risk assessment process that quantifies the level of ML/TF risk to which the entity is being exposed and to carry out varying levels of CDD (including ongoing monitoring) depending on the risk score given. The shift in mindset that needs to take place is hardly a minor one since having in place a standard procedure that applies to all customers alike will no longer be acceptable.
Subject persons should also be aware that the automatic entitlement to apply simplified customer due diligence (SDD) for specified customers and products has been removed and upon transposition of the directive, full justification to the regulator will have to be provided in those situations where simplified measures are applied.
Instead of having a list of situations where enhanced customer due diligence (EDD) and SDD should be applied, subject persons are now going to be left to their own devices to determine the level of CDD that needs to be applied. Except for those situations where additional measures are specifically required by the directive in the case of politically-exposed persons, high-risk jurisdictions and correspondent banking relationships, the directive and national laws will only provide generic guidance.
Every subject person must spell out and document their own risk appetite and determine what falls within or outside of it on the basis of a number of subjective and quantifiable criteria. The expectation of the supervisory bodies will no longer be easy to establish in view of the underlying subjectivity, meaning that subject persons will need to make sure that the systems that they have adopted are commensurate with the type of business they carry out, are proportionate to the size of their setup, that the CDD measures applied do actually mitigate the level of risk identified and the tolerance levels of the organisation and all measures and decisions are adequately documented. Guidance by the FIAU in this regard will become necessary even though the sectoral guidance on applying the risk-based approach issued by the FATF does provide a basic set of helpful guidelines.
Politically-exposed persons (PEPs)
The rules for politically-exposed persons should no longer be applied limitedly to persons outside Malta. Domestic PEPs will now be subject to the same scrutiny as foreign PEPs, together with high-ranking officials of international organisations and members of the governing bodies of political parties. Interestingly, in one of its recitals the directive warns subject persons that they should not automatically refuse the business of a PEP – The requirements are of a preventive and not criminal nature, and should not be interpreted as stigmatising PEPs as being involved in criminal activity. Refusing a business relationship with a person simply on the basis of the determination that he or she is a PEP is contrary to the letter and spirit of this Directive and of the revised FATF Recommendations.
In the case of domestic PEPs, the latest version of the fifth AMLD has softened the requirements slightly, allowing member states to apply standard CDD rather than enhanced measures in those situations where there are no risk variables that suggest that an overall higher risk exists. This proposed change, however, is still subject to discussion.
Central register of beneficial ownership
Possibly the most controversial measure in the fourth AMLD is the one that requires the setting up of beneficial ownership registers. Once the directive is transposed under Maltese law, not only will companies and other legal entities have to maintain accurate and current information on their beneficial ownership, including the level of beneficial interest held, but the information will have to be communicated to a central register which will be interconnected to other such registers within the EU. The same requirement will apply to the details of the settlors, trustees, protectors, beneficiaries and any other persons exercising ultimate control of a trust.
The changes at a glance
|Risk assessments at EU, country and customer level, together with a shift to risk-based supervision|
|A more risk-oriented application of CDD rules and the appropriate methods, sources and monitoring approaches|
|A mandatory risk-based assessment, requiring evidence-based measures, to replace the SDD and EDD regime|
|An expanded definition of PEPs|
|A revised definition of beneficial owner with more emphasis on control|
|The introduction of a central register for beneficial owners of companies and beneficiaries of trusts|
|Scope extended to include the entire gaming sector (including remote gaming) beyond just casinos|
|Increased sanctioning powers for supervisory authorities|
|New rules on the retention of documents and harmonization with EU data protection rules|
|Cash threshold for application of CDD to traders in goods lowered to €10,000|
|List of equivalent countries removed and replaced by a blacklisting mechanism<|
|More straightforward application of the reliance provisions|
According to the text issued late in 2016, in which the European Commission seems to have taken a couple of minor steps back in its pro-transparency stance when compared to the previous compromise texts, the central registers will be required to be accessible in a timely manner to competent authorities (including tax authorities) and FIUs, other subject persons carrying out CDD and any person or organisation that can demonstrate a legitimate interest, with member states being given the authority to set out the conditions under which legitimate interest is granted.
How the change in legislation will affect legal and accounting professionals
The challenges for the professional sector will probably be more pronounced than in the case of other subject persons. The first major stumbling block will be that banks and financial institutions will no longer be able to apply SDD to pooled client accounts, meaning that the high level of scrutiny professionals are being subjected to is likely to increase further.
Moreover, the fact that the directive places significant weight on national risk assessments by member states will also have a bearing on the professional sector. The recent UK national risk assessment found that both accountancy and legal professionals are high-risk targets for money laundering and that CDD processes and policies are weak. If the same conclusions are reached in our own national risk assessment and that of other jurisdictions, this is also likely to add to the level of scrutiny exercised in respect of professionals when opening bank accounts for clients, as banks will have no option but to treat such transactions as high-risk transactions.
It should also be noted that although the new rules will allow for a potentially easier CDD process with access to the register of beneficial owners, professionals and firms will not be allowed to rely solely on the register for carrying out their own CDD.
What is being contemplated in the commission proposal that should find its place in the fifth AMLD?
The negotiating mandate for the fifth AMLD released at the end of 2016 appears to be closer in spirit to the original proposal issued last July than to the more recent hard-line compromise texts issued after September. The initiative to apply a lower threshold of holding to determine beneficial ownership in the case of passive nonfinancial entities, for example, has been abandoned. So has the definition of ‘legitimate interest’ proposed by the European Commission.
The measures that are likely to remain in the text when the fifth AMLD is finally agreed upon should include the extension of AML/CTF rules to virtual currencies, with both the providers of exchange services and wallet providers being considered subject persons. The requirement on member states to have in place an electronic data retrieval system or central register of persons holding a bank account which will be accessible to FIUs and competent authorities should also be retained. The lowering of the threshold for identifying the holders of prepaid cards should also be lowered from €250 to €150. The discussions on the text of the directive dealing with other measures such as the disposal of documents to comply with data protection rules and who should have access to the controversial beneficial ownership register, remain extremely fluid.
The possibility that there will be further changes to the text should be taken as given and we will have to wait until the completion of the negotiations with the European Parliament before being able to comment conclusively on the merits or challenges of the fifth AMLD. Much can still done in the meantime and with the increase in administrative sanctions for non-compliance, there certainly is no room for complacency.
What should professional firms do to prepare?
|Firms should provide new AML/CTF training in 2017 once the transposition is complete.|
|An internal risk assessment should be carried out and documented|
|Policies, processes and handbooks need to be amended to reflect changes to the directive and to incorporate a risk-based approach|
|Firms should seriously consider adding an audit function to test procedures periodically|
|All new policies should be reviewed and approved by senior management|