On May 20, 2015, after two years of debate, the Fourth Anti-Money Laundering Directive (directive no. 2015/849/EU, hereinafter, the “Directive”) was passed by the European Parliament as a further step to strengthen the EU Anti-Money Laundering (“AML”) legal framework and enhance the protection of the integrity, stability and reputation of the financial sector from flows of illicit money related to money laundering, terrorism financing and organized crime.

The EU institutions have been trying to address the money-laundering issues for decades, looking for the best way to balance the advantages of freedom of capital movements and supply of financial services with the risks related to dirty money flows.

At the same time, the European Parliament has always been aware that attaining this purpose is of high complexity, and that it has to be achieved without imposing disproportionate compliance costs upon corporations.

The Directive and the EU Regulation on reporting obligations connected to money transfers, passed on 20 May 2015 (regulation no. 2015/847/EU, hereinafter, the “Regulation”), are the most recent attempts to improve the legal system to maintain and enhance the confidence that investors have in the EU financial system.

I. The Directive’s Innovations

A. The Central Register

The Directive confirms the so-called Know Your Customer duties and, in order to comply with international standards and best practices, introduces certain innovations to improve transparency in ownership structure and tackle issues relating to shell companies.

One of the main innovations provided under the Directive is that each EU Member State will be obliged to implement a central register[1] with the data collected by the legal entities subject to the AML legislation and related to the beneficial owner information[2] of companies and other legal entities (including trusts).

According to the Directive:

  1. The register will be accessible not only to regulators, financial institutions and other entities subject to the AML legislation but also to anyone that has a legitimate interest.[3]
  2. The information collected in the register will be that[4] which legal entities have to collect from their customers’ beneficial owners—name, date of birth, nationality, country of residence, and the interests they have in the transaction.

B. The Exclusions

For the first time, the Directive provides criteria that will allow EU Member State to exclude certain entities[5] from the AML legislation, i.e. subjects that engage in financial activities on an occasional and very limited basis, where there is little risk of money laundering or terrorist financing, provided that all of the following criteria are met: (i) the financial activity is limited in absolute terms; (ii) the financial activity is limited on a transaction basis; (iii) the financial activity is not the main activity of such subject; (iv) the financial activity is ancillary and directly related to the main activity of such person; and (v) the main activity of such person is not related to professional activities as auditors, external accountants and tax advisors, notaries and independent legal professionals, or to trust or company services providers, estate agents, and providers of gambling services, or the financial activity is provided only to the customers of the main activity of such person and is not generally offered to the public.

C. A New Approach to Politically Exposed People

The Directive provides a much more specific definition of politically exposed individuals.[6] Accordingly, politically exposed individuals include: heads of states and governments, ministers, members of parliaments and of legislative bodies, members of governing bodies of political parties, members of supreme courts and high judiciary bodies, members of the diplomatic corps, individuals managing or supervising state-owned companies, members of international organizations and their family members.

The main innovation is that the enhanced due diligence established by the previous legislative framework is now indiscriminately applicable to nationals and foreign politically exposed people.[7]

D. Due Diligence

With reference to Know Your Customer duties, the obliged entities must conduct due diligence on persons trading in goods, with regard to transactions of EUR 10k or more (whether the transaction is carried out in a single operation or in several operations).[8] Moreover, those measures must be applied to providers of gambling services, upon the collection of winnings, the wagering of a stake or both, when carrying out transactions of EUR 2k or more, whether carried out in one single operation or several operations.[9]

Another innovation of the Directive is the provision regarding electronic money. Electronic money is defined as electronically, including magnetically, stored monetary value as represented by a claim on the issuer, issued on receipt of funds, for the purpose of making payment transactions, and accepted by a natural or legal person other than the electronic money issuer.

Accordingly, if the risk assessment demonstrates a low risk, certain customer due diligence obligations may be derogated, when the following conditions are met: (i) the payment instrument is not reloadable, or has a maximum monthly payment transactions limit of EUR 250 which can be used only in that Member State; (ii) the maximum amount stored electronically does not exceed EUR 250;[10] (iii) the payment instrument is used exclusively to purchase goods or services; (iv) the payment instrument cannot be funded with anonymous electronic money; and (v) the issuer carries out sufficient monitoring of the transactions or business relationship to enable the detection of unusual or suspicious transactions.[11]

E. Further Provisions

Important provisions are set forth in relation to cooperation duties. As a matter of fact, the Directive establishes a general obligation for the obliged entities to fully and promptly cooperate with the competent authorities, first by reporting any suspicious operation, then by providing relevant information.[12]

The Directive establishes that the obliged entities belonging to groups must apply AML group policies. These must be efficiently applied in any branch and secondary seat of the group. Moreover, obliged entities having branches or secondary seats in third countries (outside EU) that impose lighter AML policies, must adopt therein the same AML policies they adopt in the seats they have in EU Member States.

Moreover, third countries outside EU that pose significant threats to the European financial system are to be identified. The EU Commission is empowered to adopt acts in order to identify said countries, in relation to: (i) the legal and institutional AML framework; (ii) the powers and procedures of their competent authorities; (iii) the effectiveness of the AML system.[13]

Finally, the Directive imposes an obligation upon EU Member States to introduce a complex scheme of both criminal and administrative sanctions. The sanctions must be applied both to natural persons and to legal entities.[14]

II. The Regulation

The European Parliament also passed a Regulation to improve the traceability of transfers.

In detail, the Regulation provides a definition of the entities subject to new rules: (i) credit institutions; (ii) electronic money institutions; (iii) post office giro institutions, which are entitled under national law to provide payment services; (iv) payment institutions; (v) the European Central Bank and national central banks, when they are not acting in their capacity as monetary authorities or other public authorities; (vi) EU Member States or their regional or local authorities, when they are not acting in their capacity as public authorities.[15] Moreover, differently from the previous legislation, the Regulation will apply to non-profit organizations as well.

For every transfer, the payment service provider must provide the name of the payee and the payee’s payment account number (in addition to the payer data).[16]

The Regulation provides for more detailed technical provisions regarding transfers of funds both within and outside the Union.[17] Specifically, when service providers are involved in a payment within the EU, the transfer will have to be accompanied by at least the payment account number of both the payer and the payee. Moreover, upon request by the service provider of the payee, the service provider of the payer will have to provide further information for transfer of funds of more than EUR 1.000 (such as the name, nationality and address of the payer).

III. Data Privacy Issues

The implementation of the AML legislation, which is strongly based on data collection, must be coordinated with data privacy law.

In particular, both the Directive and the Regulation set forth that personal data collected for the implementation of AML legislation shall be processed only for the purposes of the Directive and the Regulation, and the processing of such personal data for any other purposes, such as commercial purposes, shall be prohibited.

IV. Conclusions

The Directive will need to be transposed by the Member States into national legislation by 26 June 2017. The Regulation will be directly applicable in any Member States from the same date.

The Directive and the Regulation establish relevant innovations that will enable greater transparency in financial transactions. Central registers will be a significant instrument for identifying businesses involved in illicit activities while the enhanced due diligence obligations will raise significantly the level of attention required by the obliged entities, which will also need to prepare themselves to implement the new controls required.

We will also see how the significant data protection issues that the new rules raise will be solved in an effort to balance the protection of each individual’s personal data and the right to privacy with the transparency of the system.