The Fourth European Union Anti-Money Laundering Directive (Fourth AML Directive), approved by the European Parliament on May 20, 2015, went into effect on June 25, 2015, repealing the 2005 Third AML Directive. Given the evolving nature of the money laundering and terrorist financing typologies, as well as the decade-old Third AML Directive in place, the Fourth AML Directive was not an unexpected development. In fact, the European Council approved the Fourth AML Directive as far back as February 2015. However, what does this mean for financial institutions with global operations or those seeking to enter the European markets in the near future?
Key drivers behind this development include some usual suspects, such as the increasing amount of illicit money flooding global markets (the United Nations Office on Drugs and Crime estimates that criminals may launder around $2 trillion annually. Other factors include: disparity of AML guidance implementation within the Member States, the need for alignment with the 2012 Financial Action Task Force (FATF) Recommendations and the 2013 European Commission Money Laundering and Terrorist Financing Impact Assessment. Below is a high-level overview at what the Fourth AML Directive actually says and some significant delta points from the Third AML Directive.
The Fourth AML Directive – Key Points
While the overall tone of the Fourth AML Directive remains consistent with the prior Directive, there have been key updates in several major areas of the document:
- Nationwide AML risk assessments. The Fourth AML Directive requires EU Member States to complete national-level risk assessments to identify, understand, manage and mitigate AML risks for individual jurisdictions. The EU Commission will conduct an assessment of the AML and Terrorist Financing (TF) risks at least every two years to identify cross-border threats. These national assessments are expected to assist Financial Institutions in conducting their own AML risk assessments, where factors such as customer, product, geography and channels must be taken into consideration.
- Absence of ‘white-listed’ jurisdictions. Under the Third AML Directive, financial institutions could rely on a ‘white list’ of countries outside of the EU where, according to the regulators, the AML regimes were considered equivalent to those within the EU Member States. This provided financial institutions with certain freedom to operate in such jurisdictions without considering each individual country’s AML risk. The Fourth AML Directive repealed the ‘white list’. Under the new regime, financial institutions must conduct country-specific risk assessments for any jurisdiction outside of the EU where such financial institutions do business.
- More stringent Simplified Due Diligence (SDD) requirements. Previous EU AML regime permitted certain financial institution customers and products to qualify for SDD status when they fell into a certain category (e.g., where a customer is a financial institution listed on a regulated market). The Fourth AML Directive requires financial institutions to determine the level of AML risk posed by a customer prior to applying the SDD status to such customer and provide justification for such qualification.
- Recordkeeping. The recordkeeping requirement for Customer Due Diligence (CDD) records for a period of five years is still in place, in line with the existing AML regime. However, in accordance with the EU Data Protection Directive, any information relating to an “identified or identifiable natural person” must be deleted, unless provided for by national law. Further retention may only be granted if necessary for prevention, detection or investigation of money laundering or terrorist financing, with maximum retention of up to ten years from the end of the business relationship with the affected customer.
Ownership and Management
- Beneficial ownership CDD and record retention. The Fourth AML Directive proposes enhanced measures for transparency of customers’ beneficial ownership information. In line with the Third AML Directive, financial institutions are still required to identify and conduct CDD on any beneficial owner that controls more than 25% of the shares or voting rights of a customer. However, more stringent beneficial ownership record retention requirements will now be in place. Financial institutions will be obligated to maintain registers of customers’ beneficial owners that must be accessible to law enforcement agencies.
- Bearer shares. Under the Fourth AML Directive, Member States will be required to prohibit companies from issuing bearer shares (defined as an equity wholly owned by a person/entity that holds the physical stock certificate and where the issuing firm neither registers the owner of the stock, nor does it track transfers of ownership). Current bearer shareholders will be permitted a nine-month period to exchange their bearer shares for registered shares.
- Senior management. The Fourth AML Directive introduces the new definition of “senior management” to mean “an officer or employee with specific knowledge of the institution’s exposure to money laundering or terrorist financing risk and sufficient seniority to make decisions affecting its risk exposure.” Unlike the Third EU Directive, where the definition of “senior management” was restricted to members of the Board of Directors of the financial institution, this definition is broader and appears to encompass a significantly wider group.
Tax crimes. In a departure from the Third AML Directive, the Fourth AML Directive now includes tax crimes (relating to both direct and indirect taxes) in the broad definition of ‘criminal activity’. This means that tax crimes are now included in the list of predicate offenses for money laundering and terrorist financing activities.
Politically Exposed Persons (PEPs)
Broader and clearer definition of PEPs. The Fourth AML Directive broadens the definition of PEPs and clarifies the requirements for carrying out Enhanced Due Diligence (EDD) on such PEPs. There are now two discrete categories of PEPs: Domestic PEPs and Foreign PEPs. Domestic PEPs are persons entrusted with a prominent public position within the EU and include persons present in the EU who work for international organizations based outside of the EU. Foreign PEPs include prominent individuals from outside of the EU. Where a PEP is no longer entrusted with a prominent public function, financial institutions must consider the continuing risk posed by affiliation with such PEP for at least 12 months (or longer, until the financial institution determines that the risk specific to such PEP has diminished).
Policies and Procedures
- Data protection policies. The Fourth AML Directive introduces new requirements for financial institutions to include data protection policies within their AML policies and procedures for customer information sharing.
- Home Member State AML requirements. The Fourth AML Directive also requires financial institutions with branches outside of the EU, specifically in jurisdictions deemed to have deficient AML and CFT laws, to implement AML requirements of the regulated entity’s home Member State in those branches. This requirement aims to eliminate the discrepancy in standards that the Financial Institutions must follow and raise the standards for AML compliance in operational jurisdictions of certain branches and subsidiaries. In the event a Financial Institution deems application of such standards “impossible”, it should notify competent authorities of the Member State in which its headquarters are located. This requirement is in line with the requirement in the Third AML Directive but has been highlighted by some European compliance publications as a point of closer scrutiny under the Fourth AML Directive.
New minimum penalties for financial institutions. For serious, repeated and/or systematic failures in the areas of CDD, suspicious transaction reporting, record keeping and internal controls, minimum penalties may now include: public reprimand, cease and desist orders, suspension of authorization, temporary ban from managerial functions and maximum pecuniary sanctions of at least €5M or 10% of the total annual turnover (and at least €5M for a natural person). For non-financial institutions, penalties can amount to twice the amount of the benefit derived from the breach, or at least €1M. Unlike the prescriptive penalties in the Fourth AML Directive, the Third AML Directive only required Member States to ensure that appropriate administrative measures or penalties could be imposed on Financial Institutions in a manner that would be “effective, proportionate and dissuasive.” For natural persons sanctions could be adjusted “in line with the activity carried out” by that person.
New CDD transaction thresholds for merchants. The Fourth AML Directive includes a requirement for traders in goods that make or receive cash payments of €10,000 or more (in a single transaction or series of transactions that appear to be linked) to conduct CDD on that customer. This is a departure from the €15,000 threshold previously set by the Third AML Directive.
The Fourth EU AML Directive – Impact
Once Member States begin interpreting and localizing the Fourth AML Directive, there are no guarantees that the desired consistency of implementation (which was one of the stated goals of promulgating the Directive) will be attained. Thus, financial institutions will likely have to consider the overall requirements of the Fourth AML Directive as a baseline for their EU operations first, followed by a more detailed country-by-country assessment of the requirements that go above and beyond the ‘floor’ set by the Fourth AML Directive. For U.S.-based financial institutions, the challenge of reconciling the updated Treasury Department guidance with the Fourth AML Directive requirements and the individual country risk assessments by EU Member States may be particularly daunting. 
Furthermore, financial institutions will have to wrangle with reconciling the Fourth AML Directive data retention requirements with EU’s data protection regulations, which are slated to change in the immediate future. This issue will be particularly acute for U.S.-based financial institutions, whose domestic privacy regime is widely regarded to provide weaker privacy and security protections by the EU regulators.
Despite apparent hurdles, the Fourth AML Directive is more prescriptive in many areas, which should clear up some ambiguity plaguing the AML regulatory landscape in the EU over the last decade. However, reconciliation and compliance with the new requirements will be an uphill battle for the next several years, especially for non-EU financial institutions operating across borders. EU Member States are required to undertake legislative action to implement the Fourth AML Directive by June 26, 2017. This provides financial institutions with some time to understand the baseline requirements. However, once Member States start implementing national laws pursuant to the Fourth AML Directive (something that may take significantly longer than the prescribed two years, given the history of extended deadlines for such actions in the EU), financial institutions will have to consider individual Member States’ nuanced requirements and adjust their compliance programs accordingly. This multi-year tiered adjustment process will impact not only financial institutions operating in the EU but also their branches, subsidiaries and may even drive further changes in the foreign financial institutions’ home jurisdictions.
Click here to view table.