On 14 May 2018, the Council of the EU adopted the Fifth Anti-Money Laundering Directive (5MLD). The changes will complement the existing preventive legal framework by setting out additional measures to better counter the financing of terrorism and to ensure increased transparency of financial transactions and legal entities – without hindering the normal functioning of payment systems.

In particular, once 5MLD comes into force, cryptocurrency exchanges and custodian wallet providers will be subject to the same obligations to implement preventative measures and report suspicious activity as other firms under the Fourth Anti-Money Laundering Directive (4MLD), including requiring them to exercise customer due diligence.

Background

The terror attacks that took place in Europe in 2016 and the ‘Panama Papers’ revelations highlighted new trends in the way in which terrorist groups finance and conduct their operations, through the use of modern technology such as alternative financial systems.

5MLD, which amends 4MLD, aims to:

  • address risks linked to pre-paid cards and virtual currencies;
  • broaden access to information on beneficial ownership, improving transparency in the ownership of companies and trusts;
  • establish central mechanisms to identify holders and controllers of bank and payment accounts;
  • improve checks on transactions involving high-risk third countries; and
  • enhance cooperation between financial intelligence units (FIUs).

Virtual currencies and prepaid cards

Virtual currencies are developing quickly and are an example of digital innovation. However, there is a risk that they could be used by terrorist organisations to circumvent the traditional financial system and conceal financial transactions. Similarly, the anonymity associated with the use of pre-paid cards has also been identified as an area of heightened money laundering risk.

5MLD will therefore extend regulatory coverage to cryptocurrency exchanges providing exchange services between cryptocurrencies and fiat currencies, and to custodian wallet providers:

  • virtual (or crypto) currencies are defined in 5MLD as:

“a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically ”.

This definition covers any sort of coin or token (issued through an initial coin offering), irrespective of its inherent features.

  • custodian wallet providers are defined in 5MLD as entities which provide:

“services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.”

Bringing virtual currency exchange platforms and custodian wallet providers under the scope of the 4MLD as “obliged entities” means they will be subject to the same obligations as other firms (such as banks and payment institutions) under 4MLD to implement preventive measures relating to customer due diligence, including “know-your-customer” procedures, and report suspicious activity to domestic FIUs.

Issuers of pre-paid instruments are already covered by 4MLD (albeit EU Member States may allow firms to benefit from a CDD exemption for electronic money products, under certain conditions, referred to as simplified due diligence, or “SDD”). To minimise the use of anonymous payments through prepaid cards, 5MLD will lower the existing EUR250 threshold for identification to EUR150 in respect of non-reloadable prepaid payment instruments to which CDD measures apply when used face-to-face. 5MLD will also widen customer verification requirements for payments ‘on site’. More stringent provisions will apply for prepaid cards used on the internet, so that anonymous use will not be possible online.

Member States to establish central mechanisms to identify holders and controllers of bank and payment accounts

5MLD introduces a new obligation on Member States to put in place centralised automated mechanisms, such as central registries or central electronic data retrieval systems, which allow the identification, in a timely manner, of any natural or legal persons holding or controlling payment accounts and bank accounts identified by IBAN (i.e. an account holder, any person purporting to act on behalf of the customer and the beneficial owner of the account holder), as well as safe-deposit boxes held by a credit institution within their territory.

This information will be accessible to FIUs and national competent authorities.

To respect privacy and protect personal data, the mechanisms are required to store the minimum data necessary for the performance of AML and CTF investigations. In addition, individuals whose data has been stored should be informed that their data is recorded and accessible by FIUs, and they should be given a contact point for exercising their rights of access and rectification.

5MLD further provides that Member States should set out maximum retention periods applicable to the registration of personal data. Although access should be limited on a “need to know” basis, firms concerned will have to periodically file or upload information into the mechanism.

Transparency of beneficial ownership

Currently, under 4MLD, the information about the beneficial ownership of companies and trusts is accessible to competent authorities and obliged entities within the framework of CDD. Under 5MLD, public access will be granted to certain essential beneficial ownership information held in registries regarding companies and trusts that engage in economic activities.

For privacy reasons, access to information in relation to trusts (or similar legal arrangements) not engaged in economic activities (such as family trusts set up to finance studies or charitable aims) will only be granted to persons and organisations that can demonstrate a ‘legitimate interest’ or a controlling interest.

There is no definition of ‘legitimate interest’ in 5MLD – this will need to be defined by Member States. However, the recitals to 5MLD make it clear that the concept of legitimate interest should not be restricted to cases of pending administrative or legal proceedings, and a legitimate interest may be established where the disclosure “meets an objective of public interest and constitutes a necessary and proportionate measure in a democratic society to the legitimate aim pursued.”

Transactions involving high-risk third countries

5MLD sets out a prescriptive list of enhanced due diligence (EDD) measures that must be applied with respect to business relationships or transactions involving high-risk third countries, including:

  • obtaining additional information on the customer and beneficial owner;
  • obtaining additional information on the intended nature of the business relationship;
  • obtaining information on the source of funds and the source of wealth of the customer and beneficial owner(s);
  • obtaining information on the reasons for the intended or performed transactions;
  • obtaining the approval of senior management for establishing or continuing the business relationship; and
  • conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

According to the European Commission, these measures are to be considered as a minimum set of requirements to be applied by all Member States.

Enabling FIUs to request money laundering and terrorist financing information from any firm

The latest Financial Action Task Force standards emphasise the importance of extending the scope of, and access to, information available to FIUs. However, this is currently limited in certain Member States by the requirement that a prior suspicious activity report (SAR) has first to be submitted by a firm.

Under 5MLD, FIUs will be able to request, obtain and use information from any obliged entity, even without a SAR having been submitted. This recognises that the need for FIUs to obtain additional information from obliged entities based on a suspicion of money laundering or financing of terrorism might be triggered through other means, such as the FIU’s own analysis, intelligence provided by competent authorities or information held by another FIU.

This does not include indiscriminate requests for information to the obliged entities in the context of the FIU´s analysis, but only information requests based on sufficiently defined conditions. An FIU should also be able to obtain such information on a request made by another EU FIU and to exchange the information with the requesting FIU.

Commentary

The implementation of 5MLD will mark a significant change in the regulatory landscape for cryptocurrencies, which have to date been largely unregulated. The message is clear: whilst technological innovation is to be encouraged and promoted, this should not be at the expense of transparency and the integrity of the financial system.

It is expected that 5MLD will come into force by the end of 2019, however, it is possible that UK regulators will choose to implement the reforms sooner than that. Firms that will be affected by 5MLD should therefore not delay in making preparations for the enhanced regime, including assessing whether their internal risk-based policies and procedures are, and will continue to be, ‘fit for purpose’ in this digital age.