On 20 May 2015, the European Parliament adopted the final text of the new Directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“theDirective“). The newly adopted rules include recommendations of the intergovernmental Financial Action Task Force (FATF) and represent a significant development of the existing regulatory and legislative framework towards tightening the regime to counteract money laundering and the financing of terrorism.
Higher standards for risk assessment
One of the most important developments compared to the current regime is the increased role of the timely identification, assessment and mitigation of the risks related to money laundering and the financing of terrorism.
For this purpose, the European Commission, the separate member states and also all banks, financial institutions, insurance companies and other obliged entities (“Obliged Entities”) will have to perform a substantial analysis to identify and assess the risks related to money laundering and the financing of terrorism to which they are exposed. During the risk assessment, the Obliged Entities should consider certain risk factors related to their customers, countries or geographic areas, products, services, transactions or delivery channels. This risk assessment should be documented and maintained up-to-date and made available for review to the competent state authorities.
Further, the Directive provides guidelines for the development of internal rules, policies and procedures for the effective management and control of the risks by indicating what should be their minimum content. They should include:
- model risk management practices, customer due diligence, reporting, record-keeping, internal control;
- compliance management including, where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at the management level and employee screening; and
- the creation of an independent audit function to assess the adopted procedures and policies (depending on the nature and extent of the activity).
New approach to due diligence
The requirement for customer due diligence has been broadened by including the instances of occasional transfers of funds exceeding EUR 1,000. In the case of persons trading in goods, the threshold for occasional transactions in cash is EUR 10,000 or more; for providers of gambling services, upon the collection of winnings, the wagering of a stake, or both, the due diligence threshold when carrying out transactions is EUR 2,000 or more.
For life or other investment-related insurance businesses, the Directive introduces a requirement for due diligence on the beneficiaries of life insurance and other investment-related insurance policies as soon as the beneficiaries are identified or designated, so that at the date of the pay-out of the insurance amount, their identity is clear and beyond any doubt.
According to the new rules, when assessing the risks to which they are exposed, the Obliged Entities should consider at least the following risk factors:
- purpose of the account held or the established business relationship;
- size of the transaction to be executed or the provided assets as well as
- frequency or duration of the established business relationship with a specific client.
There are significant changes in the existing approach for the performance of simplified due diligence of customers. The previous Directive allowed the Obliged Entities to apply simplified measures automatically in certain situations (e.g. when their client is a credit or a financial institution or a company whose shares are listed on a regulated market for financial instruments) without sufficient analysis of the specific level of risk to which such customers are exposed in the particular case. Although the new Directive (in Annex № 2) also provides a list of factors of potentially lower risk situations, the Obliged Entities will now have to execute a preliminary risk assessment for each separate case. Only when a lower risk level is established can the simplified customer due diligence be applied while maintaining the obligation for on-going monitoring and reporting of unusual or suspicious transactions by their customers.
A similar approach has been applied to the enhanced customer due diligence and Annex № 3 of the Directive outlines such certain factors of potentially higher-risk situations for money laundering that should be considered by the Obliged Entities.
In addition, it is provided that the European supervisory authorities shall issue guidelines addressed to the competent national authorities, credit institutions and financial institutions that should shine more light on the risk factors to be taken into consideration and the measures to be taken in situations where simplified or enhanced customer due diligence measures are appropriate.
New public register
For the first time the new Directive requires the EU member states to implement and maintain a public register of beneficial owners, which should include certain information regarding the actual beneficial owners of customers/legal entities. There is also a detailed definition of the term “beneficial owner”.
The Directive regulates the right of free access to the information in the register by any third party or organisation that can demonstrate "legitimate interest" (e.g. in the course of investigations by journalists related to money laundering, financing of terrorism or other related crimes).
The newly adopted rules will have serious consequences concerning mainly the protection of personal data of the individuals/beneficial owners. Accessibility to the public register may become the most sensitive element in the new Directive.
A new requirement of the Directive is for Obliged Entities that are part of a group of companies to apply policies and procedures applicable for the entire group, including policies for data protection and procedures for the exchange of information within the group, even if a branch or a subsidiary is located in a third country which does not apply measures to counteract money laundering and the financing of terrorism equivalent to those in the European Union.
Under the Directive, the member states are newly required to implement measures preventing abuse with bearer shares or warrants of such shares. There is also a change in the possibility to rely on customer due diligence performed by third parties.
The administrative sanctions that the member states should apply for systematic breaches of the national provisions transposing the Directive deserve special attention. It is envisaged that the sanctions should be effective and proportionate to the respective breaches and, among others, at least the following sanctions should be applied:
- maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach, where that benefit can be determined, or at least EUR 1,000,000;
- where the obliged entity concerned is a credit institution or financial institution, maximum administrative pecuniary sanctions of at least EUR 5,000,000 or 10% of the entity’s total annual turnover according to the latest available accounts approved by its management body.
The next steps
The changes brought by the new Directive, including the new requirements for risk assessment, the limited use of simplified due diligence and the introduction of higher standards for monitoring, will affect the established internal processes and organisation of banks, financial institutions, insurance companies and other obliged entities that are required to ensure compliance with the rules against money laundering. Once the new rules come into effect, these processes should be able to identify and assess with great accuracy all risk factors relevant to the specific activity or type of transaction of the company.
The importance of adequate risk assessment is further increased by reducing the transaction thresholds for which customer due diligence is required. Well-structured rules, policies and procedures for counteracting money laundering that adequately identify risk exposures and implement appropriate processes and measures will be essential to avoid the risk of substantial sanctions. Kinstellar has significant experience and supports clients in developing internal policies and processes for compliance with the law including with the financial regulations and the rules for counteracting money laundering.
The Directive is to be published in the Official journal of the European Union, following which the member states will have two years to implement the Directive in their national legislation.