According to Chris Mangioni, Associate Director at Protiviti, banks, financial and credit institutions (including FinTechs and MSBs) as well as other “obliged entities” must be prepared to take urgent action if they haven't already.

4AMLD originally came into effect through local laws in the UK and other EEA (European Economic Area) jurisdictions in June 2017. This Directive and related legislation brought about some of the most comprehensive and high impact changes to the AML approach that the “obliged entities” have yet to experience.

In May 2019, the European Commission (EC) mandated that obliged European home-based regulated entities must conduct a full assessment of every non-EEA country which they have branches or subsidiaries based, by 3rd September. This includes the following:

  • Performing a detailed country-by-country assessment of whether the local regulatory requirements for these non-EEA jurisdictions fall below the Group/EEA requisite standards; meaning that less strict requirements may be applied (including for suspicious transaction identifying and data sharing).
  • Having a written AML/CTF risk assessment in each third country, including obtaining senior management approval at Group level for the assessment.
  • “Without undue delay” (within 28 days maximum), informing their home member state regulator (e.g. Financial Conduct Authority, Central Bank of Ireland, BaFin, Banque de France, Dutch National Bank, etc) of any operations in countries in higher risk jurisdictions where they are unable to comply with all Group-wide policies and requirements.
  • Consider taking further additional measures, such as obtaining consent from customers to overcome any data privacy/local restrictions (where possible).
  • Consider carrying out enhanced reviews of operations in higher risk third countries, including carrying on on-site visits or independent audits to adequately identify, assess and manage ML/TF risks.
  • Carry out enhanced and tailored training for any staff in higher-risk third countries.
  • Ensuring that source of funds (SoF) and destination of funds for a business relationship or occasional transaction (one-off transaction) is adequately determined.

If the obliged entity cannot effectively manage the ML/TF risks in a higher risk third country through the additional measures applied, then the organisation shall close-down some or all of their operations in that country. Upon request, the obliged entity must be able to demonstrate to their AML supervisors/regulators the extent of the additional measures applied to help mitigate any the ML/TF risks. EEA Member state AML supervisors can also require obliged entities to terminate business relationships or even cease operations in the higher risk third country jurisdictions identified.

If the obliged entity cannot effectively manage the ML/TF risks in a higher risk third country through the additional measures applied, then the organisation shall close-down some or all of their operations in that country.

These provisions are in addition to the stricter Enhanced Due Diligence (EDD) measures for relationships with clients from or established in the EC high-risk third country list. This list is considered to be a good starting point for firms assessing the ML/TF risks of non-EEA countries. Further, the FATF list of jurisdictions with strategic deficiencies should also have been considered as identifying potentially higher risk third countries.

Existing State: 4AMLD

Many organisations are assessing how to differentiate their TM and ongoing monitoring process for EC high-risk third countries. 4AMLD brought in a stricter EDD requirement for any business relationship or transaction with a person established in an EC high-risk third country (this is not required for branches or majority-owned subsidiaries of EEA entities, where they can show they comply with Group-wide EEA policies and procedures). This stricter requirement includes making enhancements to ongoing monitoring with an obligation to increase the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious. The increase in the monitoring of the business relationship should include the greater scrutiny of transactions.

The EC high-risk third country list originally consisted of 12 countries and now stands at 16 countries after changes made in 2019. One of the proposed additional countries in February 2019 included Saudi Arabia, however, this was retracted by the EC.

Firms that have not yet differentiated their TM and ongoing monitoring processes for clients based in EC high-risk third countries are potentially non-compliant with 4AMLD.

[ymal]

Future State: 5AMLD – Implementation date: 10 January 2020 at the latest

Unlike 4AMLD, there is expected to be no grace period for firms after 10 January 2020. Therefore, it is critical that organisations are taking the necessary steps to plan and implement the necessary changes in advance of the 5th Anti-Money Laundering Directive (5AMLD) being transposed into local EEA law.

Although the date of the 5AMLD related UK Money Laundering Regulations is still to be confirmed, the law will be transposed before obliged entities need to comply with it by January 2020. Other EEA regulators are also progressing with publishing their transposition of 5AMLD into local law.

5AMLD will bring new services and entities into scope for obliged entities. These include crypto-asset related entities (virtual currencies), e-money entities, art intermediaries, tax advisors, letting agents, corporate service providers, high-value dealers and entities involved in the issuance and distribution of anonymous pre-paid payment cards.

Amongst other things, 5AMLD will:

  • Expand upon the stricter EDD ongoing monitoring requirements and measures for EC high-risk third countries. This is now likely to include enhanced ongoing monitoring where a client is ‘involved’ in an EC high-risk third country (as opposed to ‘established’ under 4AMLD).
  • Broaden the criteria for the EC in assessing high-risk third countries.
  • Set out circumstances where remote or electronic forms of ID verification may be used.
  • Help to ensure that there is better information sharing and improved international cooperation between EEA law enforcement bodies, financial intelligence units (FIUs) and regulatory bodies.

5AMLD is also expected to clarify the technical specifics for EEA Company registry’s concerning ultimate beneficial ownership information. Further, it is likely to create additional reporting requirements upon obliged entities to report discrepancies identified on EEA company registers.

As 5AMLD is now less than 6 months from the final implementation date in early January 2020, what necessary steps and measures has your firm taken to help ensure it can comply from day 1 or face potential regulatory backlash and increased scrutiny, including possible associated reputational risks?