5AMLD considerations – factors for implementing a robust EU compliance program
The European Union’s 5th Anti-Money Laundering Directive (5AMLD) is now in effect. Technically, EU member states had until January 10, 2020 to implement 5AMLD provisions into their national law. However, as with other EU directives, actual implementation varies widely and no enforcement actions have occurred to date.
Having said that, for obliged entities operating in the EU (or the U.K.) ignoring the directive is not an option. It’s just a matter of time before compliance is mandatory (if it’s not already), and risking fines and reputational damage is an unnecessary risk. For example, Austria cryptocurrency-related businesses that fail to register face fines of €200,000. In the Czech Republic, these fines might be in the region of €500,000, although that exact figure is not law yet.
If your organization hasn’t taken steps to ensure compliance, it’s imperative to take action now. What factors do you need to consider? What are some practical measures that you should be taking now to comply with 5AMLD?
Balancing 5AMLD and GDPR
It’s important to understand that 5AMLD doesn’t exist in isolation; there are many other regulations that need consideration and coordination, and there are factors that contradict each other. GDPR upholds strict privacy and data protection measures. PSD2 requires careful handling of payment information. Each of the three directives are fairly new, but they have different goals and don’t have considerations for the other requirements.
To help put an end to corruption and financial crime, one of the most important steps governments can take is to ensure that effective beneficial ownership transparency rules and procedures are in place. On the other hand, data privacy is a critically important topic, not only because of the risks incurred by sub-standard security or legal non-compliance, but because an individual’s digital identity is increasingly the benchmark of their existence.
How can organizations protect privacy while simultaneously ensuring transparency?
Fundamentally, you need to collect enough information to ensure that you can perform AML checks while making sure that the proper consent to acquire that information is granted and that the information is handled effectively throughout the process. The rules for consent are critical.
The exact balance is still to be determined by further guidance, legal clarifications and court rulings. Ian Rumens, global head of private wealth at Intertrust in Jersey, is taking a wait-and-see approach to publishing beneficial ownership information: “Our timetable is designed to allow us to see how all the EU states are going to deal with the conflict between GDPR and 5AMLD,” which might get some resolution in an EU review of implementation in January 2022. As Jersey is not technically a member state of the EU, perhaps he’s in an enviable position, but it does demonstrate the complexity of the issue.
There are other considerations in play. Organizations desire to maximize data collection to fight fraud, better spot patterns of money laundering and improve their customer knowledge. However, collecting data under GDPR has specified restrictions, which makes data analysis more difficult. Does it become a matter of balancing the threat of one regulator against another? Fines and sanctions for AML lapses are well known and considerable, while actions under GDPR are still the exception; should organizations really have to choose?
A clear set of rules
It’s ironic, considering the other directives, that one of the goals of 5AMLD was achieving regulatory homogenization. With so many member states, and so many affected industries, AML requirements in the EU were, to put it bluntly, a mess.
For entities that operated cross-border, multiple regulatory sets and multiple regulatory agencies resulted in significant additional costs, substantial compliance risks and results that were not really effective in any case. Consider that in the EU, banks are spending $20 billion on compliance per year and, as stated by Rob Wainwright, former director of Europol, “professional money launderers are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate.”
While the level of desired homogenization is not there yet, 5AMLD has provided some measure of clarity. Consider cryptocurrencies, which previously had no clear legal standing. Under 5AMLD, crypto exchanges and crypto wallet providers will be considered “obliged entities” and face the same requirements as financial institutions. These requirements include AML, customer due diligence, transaction monitoring and suspicious activity reports.
For some operations, these rules are onerous and have led to an exodus to other jurisdictions such as Panama, but others welcome having clear regulations and consider them signs of a maturing industry. Benjamin Kirschbaum, a German lawyer for Winheller Attorneys at Law & Tax Advisors, stated that “exchanges will now have to implement strong KYC procedures. This will help bringing cryptocurrency trading out of the gray market and make it easier for banks and institutional investors to make a move into the space, without regulatory backlash. So, we might begin to see more volume in the space and thus less volatility going forward.”
The concept of company registers, to improve transparency for beneficial ownership, was a part of 4AMLD. Now, with 5AMLD, there are specific dates for having these registers and interconnecting them with the European central platform.
Consultancy UK suggests that “a formalised process to obtain, record and update the beneficial ownership information required for the register should be developed. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.”
The U.K. Gambling Commission published the fifth edition of their guidance for remote and non-remote casinos to coincide with 5AMLD. Gaming operations face extended requirements to ensure that they are trying to prevent laundered money from being placed in their operations, such as these:
- Conducting risk assessments on (at least) an annual basis, or on any material change, including new products, technology, payments or customer demographics
- Ensuring appropriate policies, procedures and controls to prevent money laundering and terrorist financing
- Implementing, reviewing and revising the policies, procedures and controls to ensure that they remain effective and take into account updated guidelines
Ensure compliance with 5AMLD
No matter your industry, there are some general guidelines to create a robust and scalable 5AMLD compliance program:
- Conduct an effective CIP/CDD program
- Carry out business verification with enhanced UBO checks and registers
- Implement a risk-based approach (RBA)
- Maintain robust AML transaction monitoring
- Identify and conduct EDD
- Perform ongoing due diligence
- Ensure secure and compliant data storage and records management
It’s important to note the need for effective identity verification in any proper AML approach. After all, if you don’t know who you are doing business with, the risks for transacting with criminals, terrorists and corrupt individuals increase.
For companies that already have strong compliance programs in place, 5AMLD might bring some questions, but any scrutiny can be met with confidence that considerations were made. For other companies, creating a robust program now will not only serve for the short term, but set up the organization to thrive as regulations continue to evolve and requirements become ever more demanding.