Towards better implementation of the European Union’s anti-money laundering and countering the financing of terrorism framework

Purpose – On 24 July 2019, the European Commission adopted a Communication to the European Parliament and the Council towards better implementation of the European Union’s (EU) anti-money laundering (AML) and countering the financing of terrorism (CFT) framework. This Communication was accompanied by four reports. This papers aims to investigate these reports. Design/methodology/approach – Review of EU developments and reports. Findings – The European Commission continues to work on eliminating the vulnerabilities of the current AML and CFT system. As the reports show, there are still many issues regarding the EU’s AML and CFT framework. The reports offer useful insights into weaknesses and failures and provide a good basis for further discussions with relevant stakeholders, for certain amendments to the current rulebook and enforcement as well as for stronger mechanisms regarding supervision and supporting cross-border cooperation. Originality/value – This article discusses important relevant EU developments.


Introduction
On 24 July 2019, the European Commission adopted a Communication to the European Parliament and the Council towards better implementation of the European Union's (EU) anti-money laundering (AML) and countering the financing of terrorism (CFT) framework. This Communication was accompanied by four reports [1]. As stated in the Communication, risks of money laundering and the financing of terrorism remain a major concern for the integrity of Union's financial system and the security of its citizens. Indeed, is has been estimated that as much as 0.7-1.28 per cent of the EU annual gross domestic product is "detected as being involved in suspect financial activity" (Europol, 2017). Hence, the fight against money laundering and terrorism financing is an important priority for the European Union. The findings set out in the Communication and in the reports are intended to inform the debate about how the AML/CFT framework could be further improved and to provide the basis for further discussions with relevant stakeholders. In this article, these four reports will be investigated [2]. Before discussing these four reports, first, a general overview will be provided of the Fourth, Fifth and Sixth EU Anti-Money Laundering Directives, as these directives contain the current EU's anti-money laundering rules.  [3]. The purpose of the Fourth AML Directive was to strengthen the EU's defences against money laundering and terrorist financing. In the explanatory statement, it was acknowledged that criminal organisations keep seeking new methods to misuse the financial system to launder illicit proceeds or finance terrorism. By an ongoing adjustment and improvement of the norms and standards, the European Commission aims to continue to eliminate the vulnerabilities of the financial system. The Fourth AML Directive extended and replaced the Third EU Anti-Money Laundering Directive, which contained the then existing EU anti-money laundering and counter-terrorist financing regime (Katz, 2007). The introduction of the Fourth AML Directive was mainly driven by revisions to the FATF Recommendations which were adopted in February 2012 to address emerging AML and CTF issues [4]. But there are some areas in which the Fourth AML Directive has gone further, aiming to strengthen international co-operation and harmonise the approach to AML compliance across the EU. Another ground for the introduction of the Fourth AML Directive was the outcome of a review of the Third AML Directive, published in 2012, that the European Commission had undertaken [5].
The Fourth EU AML Directive increased the emphasis on the risk-based approach [6]. This approach had become a key element of the EU regime following the adoption of the Third AML Directive. The risk-based approach moved away from the old rule-based system consisting of exemptions from customer due diligence requirements based on third-country equivalence. This rule-based approach was found to have certain shortcomings (Ross and Hanan, 2007). The new approach meant that the levels and types of action required to be taken by member states, supervisors and organisations depend on the nature and severity of risks, in particular jurisdictions and sectors. Thus, it is now required to conduct regular risk assessments considering the risks posed by customers, countries or geographic areas, products, services, transactions or delivery channels. Risk assessments carried out by the obliged entities such as banks must focus on the risks that affect each of them specifically. The objective of the risk assessment is to identify, understand and mitigate the risk of money laundering and terrorist financing. Regulated organisations are also required to implement policies, procedures and controls to manage and mitigate the associated risks. Other important elements are senior management approval, employee verification and checks and an independent internal audit function. The Fourth EU AML Directive is more prescriptive with respect to the ongoing monitoring of customers and is more specific in outlining factors for consideration and evidencing in conducting risk assessments for each customer, and how these risk assessments must be kept up-to-date. The Fourth Directive included also a new requirement for EU member states to complete risk assessments at national level. The results of these risk assessments will have to be made available to "obliged entities" and other member states to identify, understand, manage and mitigate the risks.
Moreover, the Fourth EU AML Directive amended the list of circumstances when simplified customer due diligence is appropriate by removing listed companies, domestic public authorities and financial institutions which are subject to AML/CTF regulation from the categories of clients to be regarded as posing a lower risk. Thus, regulated organisations will have to carry out their own risk assessment to determine if simplified customer due diligence is appropriate and engage in adequate monitoring to enable the detection of suspicious transactions. Under the new approach, regulated organisations must consider guidance issued by member states on lower risk categories and then decide which customer relationship or transaction presents a low risk.
The biggest impact might be felt in relation to transparency of beneficial owners, which was a new requirement forcing regulated organisations to make sure their staff comply, and hence sufficient training and awareness is necessary. The information regarding beneficial ownership needs to be adequate, accurate and current.
Moreover, the Fourth EU AML Directive subscribes that enhanced due diligence will always be appropriate when transactions relate to politically exposed persons (PEPs). The definition of PEPs was extended and under the Fourth EU AML Directive PEPs now also include domestic individuals occupying prominent public positions. Furthermore, the categories of individuals who can be regarded as PEPs include also members of the governing bodies of political parties, and directors, deputy directors and members of the board or equivalent function of an international organisation. Moreover, it will now be required to identify cases where a beneficial owner is a PEP and apply enhanced customer due diligence. The Fourth EU AML Directive demands that, when a person ceases to be a PEP, a regulated organisation must consider the continuing risk imposed by that person for at least 12 months. Risk-sensitive measures must be applied until that person is deemed to pose no further risk specific to PEPs. Regulated organisations must therefore consider if a person should be treated as a PEP beyond the minimum 12-month period. Moreover, regulated organisations are not entitled to rely exclusively on PEP lists. They are responsible for making their own determination as to whether a customer is a PEP or associated with a PEP. Finally, senior management approval of PEP relationships is needed. This is not new, but the Fourth EU AML Directive provides clarification on who can provide such approval. It is clarified that it does not always have to be a member of the board of directors, but it can be "someone with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and of sufficient seniority to take decisions affecting its risk exposure".
As a general point, although the language of the directive is clear, it seems to be open to different interpretations, and the new approach seems to be a subjective one. The risk assessment, risk model and risk appetite an organisation has, can be subjective; however, the regulator can have a different view. This reinforces why it is important that organisations make sure their interpretations are in writing, clear and understandable, and based on reasonable and logical arguments.

The Fifth European Union Anti-Money Laundering Directive
On 19 June 2018, the Fifth EU Anti-Money Laundering Directive was published in the Official Journal of the European Union [7]. This directive modified the Fourth AML Directive.

Financing of terrorism framework
The Fifth AML Directive was, amongst others, a reaction to the Panama Papers published in April 2016. The deadline for transposing these new rules into national law is 20 January 2020. Amongst others, the Fifth AML Directive extends the scope to virtual currency platforms and wallet providers, tax-related services and traders of art. Moreover, it obliges member states to create a list of national public offices and functions that qualify as politically exposed. Also, the Fifth Directive ends the anonymity of bank and savings accounts, as well as safe deposit boxes and creates central access mechanisms to bank account and safe deposit boxes holder information throughout the EU and makes information on real estate holders centrally available to public authorities. Furthermore, the Fifth AML Directive contains rules about granting general public access to beneficial ownership information of EU-based companies. However, the separate trust register is only accessible to third parties with a legitimate interest. Also, service providers that must identify their customers such as banks, tax advisers and notaries are obliged to report any inaccuracies in the registration of ultimate beneficial owners (UBO). Finally, I mention that all UBO registers in the EU should be linked as of 10 March 2021.

The Sixth European Union Anti-Money Laundering Directive
On 12 November 2018, the Sixth AML Directive was published in the Official Journal of the EU [8]. This directive will need to be transposed by the members states by 3 December 2020.
Amongst others, the Sixth AML Directive includes a unified list of predicate offences. These offences refer to the criminal activity that gives rise to, or underpins, a money laundering offence. The directive mentions 22 predicate offences which may generate criminal property for the purposes of committing a money laundering offence. They include environmental crimes, tax crimes and cybercrime, trafficking of drugs and humans and fraud. Furthermore, criminal liability is extended to legal entities where a money laundering offence is committed for their benefit by an individual in a leading position within that entity or where a lack of supervision or control by such individual has made possible the commission of a money laundering offence. Hence, it can be expected that the Sixth AML Directive will increase the workload of compliance officers. Possible sanctions include a prohibition from public benefits or aid for four years; a temporary or permanent ban from conducting business; a compulsory winding-up of the organisation; a judicial supervision on the organisation; and a temporary or permanent closure of business units through which the offences were committed.

The four European Union reports 3.1 Report assessing recent alleged money-laundering cases involving European Union credit institutions
The principal aim of the report assessing recent alleged money-laundering cases involving EU credit institutions is to indicate the shortcomings and lessons learnt and to provide evidence for any further policy actions, should they be considered necessary [9]. The findings of the report are organised into two categories, namely: (1) highlighting events within credit institutions; and (2) examining how the various public authorities acted in relation to events.
Regarding findings related to credit institutions' AML defence systems, the review of cases and the analysis identified four broad categories under which shortcomings may be grouped. The first category is ineffective or lack of compliance with the legal requirements for AML/CFT systems and controls. Unfortunately, it was found in many of the cases assessed, that credit institutions did not prioritise compliance with AML in their policies. Moreover, although in some cases, control systems were formally in place, no overall money laundering/terrorist financing risk assessment was conducted at either the level of individual entities or at group level. Furthermore, compliance departments were, in some cases, understaffed, or the compliance function was rarely involved in ultimate decisionmaking. Thus, some credit institutions were ultimately unable to draw meaningful conclusions as to whether a customer's activity was suspicious. Also, many credit institutions had difficulties to determine the identity of the beneficial owners behind their customers because identification is burdensome and beneficial ownership registers were not yet in place. The second category is governance failures in relation to AML. According to the Capital Requirements Directive, credit institutions are required to have governance arrangements in place to ensure sound and effective risk management [10]. The analysis revealed certain deficiencies. For example, regarding the three lines of defence model, in most of the cases analysed, there was evidence of weaknesses about one or more lines of defence, as well as weaknesses in the way those responsible in the different lines of defence interacted with each other. Moreover, in some cases, the first line of defence (business units) was practically non-existent. Often the second line of defence (risk management and compliance) also turned out to be inadequate, and the third line (internal audit) seemed not always to have adequately prioritised AML work, or was not independent from the front line, or did not receive enough attention from senior management. Furthermore, in most cases, the internal reporting of AML risks to local or senior management was not adequately established or followed. In large cross-border banking groups, reporting deficiencies also appeared, according to the report, which were caused by the absence of translations of audit reports, and difficulties for local staff to get access to the top management of the credit institution in another member state.
The third category is misalignments between risk appetite and risk management. From the analysis, amongst others, it appears that some institutions engaged in high-risk business carried out directly in certain (especially third country) jurisdictions or originating from such jurisdictions, and based their business model almost exclusively on non-resident deposits without establishing commensurate AML/CFT policies and controls. Moreover, according to the report, some credit institutions appear to have been promoting an aggressive business model of on-boarding clients and processing transactions based on deliberately limited customer due diligence. The fourth category is about negligence of group AML policies. For example, in some instances, it appeared that the parent company had difficulties in forming an accurate and complete overview of the existing risks in the group.
Regarding examining how the various public authorities acted in relation to events, the report offers many examples of elements that can be improved. For example, it was found in several cases, that AML supervisors appear to have been critically understaffed, and in others, staff seem to have been lacking sufficient experience or knowledge of how to carry out their supervisory tasks. Moreover, regarding supervision of cross-border entities, in most cases, the respective supervisory responsibilities and tasks of the relevant authorities were not sufficiently well understood nor pre-agreed to ensure comprehensive coverage of AML issues at group and individual establishment levels. Furthermore, related to supervisory measures and their effectiveness, it was found that in several assessed cases, supervisors appear to have been often hesitant to impose sanctions or take supervisory measures.

Financing of terrorism framework
To conclude, the report highlights several structural issues, some of them of a serious nature.
3.2 Supranational risk assessment of the money laundering and terrorist financing risks affecting the union According to article 6 of the Fourth AML Directive, the Commission needs to assess AML risks affecting the internal market and relating to cross-border activities and to update this every two years. This report updates the EU Commission's first supranational risk assessment published in 2017 [11]. In this second supranational risk assessment, the Commission identified 47 products and services that are potentially vulnerable to AML, up from 40 in 2017. The report mentions the following four new products/sectors: (1) privately owned automated teller machines; (2) professional football; (3) free ports; and (4) investor citizenship and residence schemes.
Furthermore, the report states that major vulnerabilities remain the following three: (1) First, criminals might use complex corporate structures registered in third countries.
(2) Second, criminals might wilfully use false information or documentation to hide their identity. (3) Third, the national registers on beneficial ownership might have weak spots about their technical implementation or management and this might cause criminals to shift their business to such member states.
3.3 Report assessing the framework for financial intelligence units' cooperation with third countries and obstacles and opportunities to enhance cooperation between financial intelligence units within the European Union Based on article 65 section 2 of the Fifth AML Directive, the EU Commission is required to assess the framework for FIUs' cooperation with third countries and obstacles and opportunities to enhance cooperation between FIUs in the European Union, including the possibility of establishing a coordination and support mechanism [12]. This report assesses this framework. The report discusses cooperation between FIUs and with reporting entities as well as feedback mechanisms. Regarding cooperation, the report mentions that although FIUs have the obligation based on article 53 of the Fourth AML Directive to promptly forward reports which concern another member state to the FIU of that member state, in practice, there is a very small number of such cross-border reports. Furthermore, FIUs also sometimes lack the proper IT tools. Hence, in conclusion, the report states there is a need for a stronger mechanism to coordinate and support cross-border cooperation and analysis.
3.4 Report assessing the conditions and the technical specifications and procedures for ensuring secure and efficient interconnection of central bank account registers and data retrieval system Article 32a of the Fourth AML Directive requires member states to put in place by 10 September 2020 national centralised automated mechanisms, such as central registries or central electronic data retrieval systems, which allow the identification of any natural or legal persons holding or controlling payments accounts, bank accounts and safe deposit boxes. The Fourth AML Directive defines a minimum set of information that should be included in such centralised mechanisms. It also provides that FIUs should have immediate and unfiltered access to them, while the other competent authorities should also have access. Currently, centralised mechanisms containing bank account information are operational in 15 member states according to the report [13]. Based on article 32a section 5 of the Fourth AML Directive, the EU Commission is required to assess the conditions and the technical specifications and procedures for ensuring a secure and efficient interconnection of the centralised automated mechanisms. For that reason, this report assesses the various IT solutions at EU level, already operational or being currently under development, which may serve as models for a possible interconnection of the centralised mechanisms [14]. Based on the report, it seems, every system has some useful elements. As a next step, the EU Commission intends to further consult with relevant stakeholders such as governments, FIU's and Asset Recovery Offices as potential end-users of a possible interconnection system.

Conclusion
The fight against money laundering and terrorist financing is a continuous task. Although much has been achieved in improving the existing framework, particularly through the Fourth, Fifth and Sixth AML Directives, the European Commission continues to work on eliminating the vulnerabilities of the current AML and CFT system. Indeed, as the reports show, there are still many issues regarding the EU's AML and CFT framework. The reports offer useful insights into weaknesses and failures and provide a good basis for further discussions with relevant stakeholders, for certain amendments to the current rulebook and enforcement as well as for stronger mechanisms regarding supervision and supporting cross-border cooperation. Notes