The 5th Anti-Money Laundering Directive (5AMLD) will come into force on January 10, 2020. It addresses a number of weaknesses in the European Union’s Anti-Money Laundering (AML) and Counter Terrorism Financing (CFT) regime that have come to light since the enactment of the 4th Anti-Money Laundering Directive (4AMLD). Businesses in the EU member states are getting serious (or should be) about what the updated 5AMLD rules mean to them.
Let’s take a deeper dive into what the 5AMLD is about and steps you need to take to ensure compliance:
What is the 5AMLD?
The 5AMLD is an amendment to the 4AMLD, which was released in 2015. In a nutshell, it is a set of guidelines designed to bring more transparency to improve the fight against money laundering and terrorist financing across the EU. The EU Commission proposed the revised 5AMLD in July 2016 as part of its action plan against terrorism, after the attacks in Paris and Brussels and as a reaction to the Panama Papers published in April 2016.
Who must meet 5AMLD compliance requirements?
Earlier Directives focused attention on financial services. With 5AMLD, the scope is widened to cover areas such as cryptocurrency exchanges, digital wallet providers, anonymous prepaid cards, gambling services and certain high value transactions.
What are the potential penalties and prosecution risks?
The 5AMLD does not make any changes to penalties themselves, although it does extend their application to more businesses, as noted. So the existing penalties and fine limits set out in the 4AMLD still stand.
However, actual penalties vary among member states, depending on how they enact the directive into law. For example, Article 29 of the 4AMLD specifies fines up to two times the amount gained through the violation, but Germany allows fines up to 20 times the amount gained. Therefore, although technically there is no federal change from the 4AMLD, penalties may change on a country-by-country basis as a result of the 5AMLD, since it is member states that decide and enforce the penalties.
Steps and measures to ensure compliance with 5AMLD requirements
1. Conduct an effective CIP/CDD program
Customer Identification Program (CIP) and Customer Due Diligence (CDD) processes are the cornerstones of an effective AML/CTF program. These processes includes collection, verification and record keeping of Personally Identifiable Information (PII), and screening of customers against sanctions, Politically Exposed Persons (PEP) and adverse news to assess the risks associated with that customer. To onboard good customers and detect bad actors, you should implement an eKYC technology to bring speed and transparency to the digital onboarding process.
2. Carry out business verification with enhanced UBO checks and registers
Obliged entities should assess the information available in Know Your Business (KYB) records and begin the information-gathering process to mitigate any gaps in the Ultimate Beneficial Ownership (UBO) data. Where there may be gaps or new requirements to obtain beneficial ownership information, use KYB periodic reviews as an opportunity to obtain or confirm existing beneficial ownership information. This way, the necessary information is available when it must be transferred into relevant beneficial ownership registers.
3. Implement a risk-based approach (RBA)
Obliged entities must provide evidence that they have undertaken appropriate steps to identify, assess, understand and mitigate AML risk. Banks, for example, need to verify that they have evaluated associated risk factors including customers, products, geography and channel.
4. Maintain robust AML transaction monitoring
You should regularly monitor accounts for suspicious activities by checking if transactions exceed an established threshold in accordance with 5AMLD requirements, and also if the reasons behind said transactions are inconclusive. Suspicious activity should be reported to the appropriate financial intelligence unit (FIU) if there are reasonable grounds that these activities are related to money laundering and terrorist financing.
5. Identify and conduct EDD
You must take measures to perform Enhanced Due Diligence (EDD) and apply it to transactions or business relationships involving high-risk third countries. Wherever required, perform a robust EDD process and:
1. Obtain additional information on the customer, UBOs and intended nature of the business relationship
2. Obtain information on the source of funds and wealth of the customer and UBOs and the reasons for the intended or performed transactions
3. Seek approval of senior management for establishing or continuing the business relationship
4. Conduct enhanced monitoring of the business relationship by increasing the number and timing of controls
6. Perform ongoing due diligence
Monitor the business relationship and scrutinize transactions undertaken throughout the course of that relationship. Ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including the source of funds. Make sure that the documents, data and information held are kept up to date and that relevant account changes are flagged for checking.
7. Ensure secure and compliant data storage and records management
The new regulations present an interesting challenge in that any records you store relating to your transactions to confirm due diligence undertaken need to be encrypted and retained for five years after the end of the customer relationship in order to be compliant with the GDPR.
Change is a constant in the world of AML regulations as bad actors find ways to exploit new products and technologies. The 5AMLD is another indication that the EU and its member states aren’t willing to concede ground in the fight against money laundering, and businesses achieving 5AMLD compliance are a vital part of that effort.