In light of the EU’s fourth anti-money laundering directive kicking in, Lawyer Monthly hears from Tom Orange, a solicitor at Byrne and Partners LLP, who outlines everything you need to know about the new rules and how to prepare your business for compliance.
The new Directive as of the European Commission proposal
On 26th June 2015, the Fourth European Anti-Money Laundering Directive (EU 2015/849) (the Directive) came into force. Member States will have until 26th June 2017 to implement the Directive into national law. The Directive replaces the Third Anti-Money Laundering Directive (2005/60/EC), which was implemented in the UK by way of the Money Laundering Regulations 2007 (SI 2007/2157). The Directive aims to prevent the European Union’s financial system from being used for tax evasion, terrorist financing and money laundering.
The new Directive follows concerns that the Third Directive did not do enough to achieve consistency across Member States. It takes into account the 40 new recommendations adopted by the Financial Action Task Force (FATF) in February 2012, extending the scope of the current framework and strengthening obligations in several areas.
On 5th July 2016, in response to terror attacks in Europe in 2015 and 2016, and the leak of the Panama Papers, the European Commission published proposals to amend the Directive, with the goal of further strengthening measures against the financing of terrorism and improving the transparency of financial transactions and corporate entities.
This article considers the changes introduced in the Directive in light of the July proposals, the likely impact and the challenges that will be faced by financial institutions.
What are the changes?
Ultimate Beneficial Owners (UBOs)
The Panama Papers revealed the extent to which complex ownership structures are used to hide tax obligations and links to organised crime. The Directive sets out the framework for establishing the beneficial ownership of companies as well as the collection, maintaining and provision of this information.
Further clarification is provided in relation to ownership of companies and trusts. The previous threshold for beneficial ownership remains the same; a shareholding of 25% plus one share or an ownership interest of more than 25%. The July proposal reduces this to 10% with respect to non-financial entities which are considered high risk.
If there is any doubt, the Directive then defines a UBO as a person exercising control over the management of the entity through other means. If it is still unclear who the beneficial owner is, the Directive states that the UBO will be the person(s) holding the position of a senior managing official.
Additional obligations are introduced through the necessity for companies to maintain and make available “adequate, accurate and current” records on who their beneficial owners are to competent authorities, organisations and individuals who can demonstrate a “legitimate interest”. It remains unclear how this will be interpreted by each Member State, but it seems likely that this provision to increase transparency will be accompanied by significant administrative hurdles.
The July proposal extends this right, allowing public access to certain essential beneficial ownership information. This proposal has the potential to cause a great deal of concern with regard to privacy and data protection.
This provision has already been partially implemented in the UK through the introduction of the register of people with significant control (the ‘PSC register’). From 30th June 2016, companies have been required to declare who owns or controls them to Companies House when issuing their annual confirmation statement. The PSC register is designed to ensure that the ultimate owners or controllers of companies are identified and their interests made public in order to deter and impose sanctions on those who hide their interests.
Senior management responsibilities
Although the Directive advises that senior management need not be a member of the board of directors, it indicates in strong terms that this would be a wise idea given the knowledge required. Senior management will need to have “sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure”, and will be responsible for approving the policies, controls and procedures put in place.
The Directive favours the stick over the carrot, deterring continued breaches by increasing the level of sanctions available. For serious, repeated, systematic (or a combination thereof) breaches, obliged entities face penalties that include naming and shaming, withdrawal of authorisation (where appropriate) and penalties of up to 10% of the annual turnover in the preceding year. In the case of a subsidiary, this is the turnover of the parent company in the preceding year. Individuals face fines of up to €5,000,000 or twice the benefit of the breach.
Simplified Due Diligence (SDD)
The Third Directive enabled Member States to exempt certain entities from Customer Due Diligence (CDD) where there was a low risk of money laundering or terrorist financing. The Fourth Directive enables obliged entities to adapt their measures to low risk situations.
Before applying these simplified measures, the obliged entity must be certain that the business relationship or transaction presents a lower degree risk, as set out in Appendix II. This approach should allow regulated entities to focus their resources on transactions that pose higher risks, such as those involving third countries with ineffective anti-money laundering systems or high levels of corruption.
Enhanced Due Diligence (EDD)
EDD is now required when transacting with entities in high-risk countries. When assessing risks, obliged entities are required to consider the factors detailed in Annex II which include potentially higher-risk situations.
Politically Exposed Persons (PEP)
Foreign PEPs are already considered higher risk. The Directive extends this to domestic PEPs and expands the category to include members of the governing bodies of political parties.
Obliged entities will be required to have appropriate measures in place to determine whether the customer or UBO of the customer is a PEP. If the transaction involves a PEP, senior management approval is required in order to continue or maintain the business relationship. In addition, EDD will continue to be applied for 18 months after the PEP leaves their position. This has been increased from 12 months.
As this change slightly shifts the boundaries, businesses will need to revisit their procedures for identifying and dealing with domestic PEPs before reviewing relationships with existing customers and updating their lists, as EDD may well apply.
Virtual currencies, such as Bitcoin, represent a relatively small market. The European Central Bank reported in 2015 that they do not pose a threat to financial stability due to their size – approximately 70,000 daily transactions worth around €40,000,000.
Though virtual currencies were initially not included in the scope of the Directive, the Commission has changed its view in the wake of the terrorist attacks in Paris. The Commission believes that there is a risk that virtual currencies could be used by terrorist organisations to circumvent checks and conceal transactions as they can be carried out anonymously.
Virtual currency exchange platforms, where virtual currencies can be exchanged for real currencies, and custodian wallet providers, holding virtual funds for customers, are to become obliged entities. This proposal aims to ensure better controls and enhanced due diligence for an unregulated sector, though to some extent virtual currencies already provide a strong digital footprint of transactions.
Pre paid cards
The Commission believes that the anonymous use of pre-paid cards presents a risk of terror financing. The proposal is to reduce the use of anonymous payments through these pre-paid cards by lowering the threshold for identification from €250 (£213) to €150 (£128). Tougher restrictions on their use will apply online.
Financial Intelligence Units (FIUs)
In order to aid the fight against terrorism financing, the Commission proposes new powers and resources for FIUs across the EU.
Member States are to set up centralised bank and payment account registers, allowing FIUs to quickly retrieve necessary information. The Commission has also clarified that FIUs are given a power in the Directive to request information concerning money laundering or terrorist financing from an obliged entity, even if a Suspicious Transaction Report has not been filed. Again, this raises several concerns about safeguards, data protection and conditions of access.
Although much of the aim of the Directive is focussed on preventing terrorism financing, the financial sector will take some collateral damage in the form of increased sanctions and due diligence requirements.
The Directive follows the legislative trend of a stronger compliance culture with a focus on top-down awareness and approval of procedures. It implements harsher requirements for both SDD and EDD and pushes greater responsibility on senior managers. The increased Sanctions further highlight the need to involve compliance teams and solicitors at an early stage in order to ensure that procedures and practices are up to date.
There are questions over how far the duty to provide information on the beneficial owners will extend, and to whom. It is almost inevitable that we will see several challenges to the provision of this information and of its use by investigating or prosecuting authorities.
Despite its inevitable departure from the EU, it seems likely that the UK will want to honour the Directive and maintain its international standing. Notwithstanding perhaps obvious pressures for the UK to attract foreign investment and reduce strain on UK businesses, the strong focus of the Directive on reporting and cooperation between Member States would be significantly undermined if one of the key players in its implementation were to introduce weaker controls. Similarly, it is also unthinkable that the EU would want the UK to withdraw from its obligations; the July proposal makes it quite clear that the effectiveness of achieving transparency and fighting terrorism financing can only be achieved through strong cross-border collaboration and robust, consistent standards.