Home > Regulatory briefings > Consultation on the transposition of the fourth money laundering directive 16/13
Consultation on the transposition of the fourth money laundering directive 16/13
12th October 2016
The Fourth Money Laundering Directive (4MLD or ‘the directive’) was published in the EU Official Journal on 5th June 2015. The directive seeks to give effect to the updated Financial Action Task Force (FATF) standards. It introduces a number of new requirements on relevant businesses and changes to some of the obligations under 3MLD. All EU Member States, including the UK, have two years to transpose the requirements of the directive into national law which will, where necessary, amend or replace the existing money laundering regulation 2007 (MLR 2007) or legislation. The government intends that the new provisions will come into force in national law by 26th June 2017.
In response, on 15th September 2016 the Treasury published a consultation paper on the transposition of the Fourth Money Laundering Directive. The paper outlines the U.K. government’s plans on how to transpose the directive into national law, and also invites parties to provide feedback and evidence on any potential costs and benefits that the transposition would entail.
Proposed amendments to the directive
Following the terrorist attacks in the E.U. and the release of the ‘Panama Papers’, it has been deemed necessary to further strengthen transparency and counter-terrorist provisions. A number of the proposed changes to the directive are still subject to negotiation and agreement between the 28 Member States of the E.U. and may, therefore change in the coming months.
Despite the recent vote to leave the E.U., these changes are still pertinent to the U.K., as it is still a full member of the European Union and all the rights and obligations of EU membership remain in force. Until the conclusion of exit negotiations, the government will continue to negotiate, implement and apply EU legislation.
This regulatory briefing identifies and explains the changes to, and the new requirements of, the Fourth Money Laundering Directive, as outlined in the consultation paper, and how the U.K. intends to transpose them into law and maintain an up-to-date Anti-Money Laundering / Combating the Financing of Terrorism (AML/CFT) regime.
The consultation will be of special interest to:
- banks and other credit institutions
- investment firms
- those classified as, or doing business with, Politically Exposed Persons (PEPs)
- providers of electronic money services
- the accountancy sector
- legal sector
- law enforcement
- members of the AML supervisory regime
Who is covered by the directive?
Entities covered by the directive:
- credit institutions
- financial institutions (including money service businesses)
- auditors, external accountants, tax advisors, notaries and other legal professional, when carrying ou their professional activities
- trust or company service providers
- estate agents
- other persons trading in goods through payments that are made or received in cash amounting to EUR 10,000 or more – whether the transaction is carried out in a single operation or several operations that appear to be linked (see below for further details)
- providers of gambling services
What has changed in the entities covered?
One important change applies to persons trading goods, where the threshold for eligible transactions in cash (or a series of transactions that appear to be linked) will come down from EUR 15,000 to EUR 10,000; and will be extended to receiving as well as making payments in cash. The government plans to implement this change in full as it is a requirement of the directive.
Financial activity that may be exempt from the directive
The government has discretion to provide exemptions to certain persons where there is little risk of money laundering or terrorist financing.
In order for financial activity to be exempt, all of the following criteria must be met:
- the financial activity is limited in absolute terms (see below)
- the financial activity is limited on a transaction basis
- the financial activity is not the main activity of such persons
- the financial activity is ancillary and directly related to the main activity of such persons
- the main activity of such persons is not an activity referred to above (entities covered in the directive except point (6))
- the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public
These criteria are only relevant to professional activity, therefore free assistance can be provided to friends and family.
Increase in absolute turnover threshold
There is one turnover threshold across all financial activities. Schedule 2 paragraph (1)(a) of the current regulation, MLR 2007, specifies a total annual turnover limit of £64,000. This value reflects the then VAT registration threshold. If the government were to maintain this link to the VAT registration threshold, the limit would be set at around £82,000 by implementation in 2017. The government proposes to remove this link, and set a higher figure of £100,000.
Financial activity limited on a transaction basis
Financial activity must have a maximum threshold per customer and per single transaction in order to qualify for an exemption from the requirements of the directive. The transaction threshold applies to both a single operation and to several operations which appear to be linked. The maximum transaction threshold per customer and single transaction is currently EUR 1,000 in the MLR 2007 and the government has decided not to amend this.
The government’s view is that £836 (EUR 1,000) remains a sufficiently low enough value to ensure that the types of transactions in question are an impractical and inefficient method for money laundering and/or terrorist financing.
The due diligence requirements and reliance
Those entities that fall within the scope of the directive will be required to apply varying levels of due diligence measures depending on their respective business and services. The varying levels of due diligence will entail either customer due diligence (CDD), simplified due diligence (SDD) or enhanced due diligence (EDD). The following points will stipulate the requirements under the Fourth Anti-Money Laundering Directive for each level of due diligence.
Customer due diligence (CDD)
Obliged entities (‘Obliged entities’ is a widely drawn definition which includes financial institutions, accountants, tax advisers, lawyers, trust providers and estate/letting agents with whom the trustees form a business relationship) are required to apply CDD measures in the following instances:
- when establishing a business relationship
- when carrying out an occasional transaction that:
- amounts to EUR 15,000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or
- constitutes a transfer of funds, exceeding EUR 1,000
- in the case of persons trading in goods, when carrying out occasional transactions in cash amounting to EUR 10,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked
- for providers of gambling services, upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to EUR 2,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked
- when there is suspicion of money laundering or terrorist financing, regardless of the situation on derogations, exemptions or thresholds
- when there are doubts about the veracity or adequacy of previously obtained customer identification information
When conducting CDD, the measures involve:
- identifying and verifying the customer’s identity, through documents, data or information obtained from a reliable and independent source
- identifying the beneficial owner and taking reasonable measures to verify that person’s identity
- assessing and, where appropriate, obtaining information on the purpose and intended nature of the business relationship
- conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship
Obliged entities must carry out each of the CDD measures although they may determine the extent of those measures using a risk-based approach. Obliged entities must take into account certain variables when assessing risk (e.g. Annex I of the 4MLD, see page 13 of this regulatory briefing) and be able to demonstrate that the measures taken are appropriate in view of the ML/TF risks that have been identified.
Where an obliged entity is unable to comply with the CDD requirements, it shall not establish a business relationship or carry out any transaction and the entity shall terminate the business relationship. The entity must also consider making a suspicious transaction report to the Financial Intelligence Unit (FIU) in relation to the customer. The U.K.’s FIU is housed within the National Crime Agency.
Bearer shares to be removed
UK companies are no longer allowed to issue bearer shares, and existing bearer shares are being phased out.
Simplified customer due diligence (SDD)
Member States may allow obliged entities to apply simplified customer due diligence (SDD) measures for areas of lower risk, considering types of customers, geographic areas, and particular products, services, transactions or delivery channels as set out in Annex II of the 4MLD.
The directive sets out a non-exhaustive list (Annex II, see page 13 of this regulatory briefing) of factors that should be considered when deciding whether SDD is appropriate. In any case, obliged entities are required to carry out adequate monitoring of the transactions and business relationships in order to be able to detect unusual or suspicious transactions. New proposals plan to remove the existing list in Article 13 of the MLR 2007 and adhere to the non-exhaustive list in Annex II.
Removal of pooled client accounts (PCAs)
Under the 3rd directive there was an express provision for the application of simplified due diligence to pooled client accounts (PCAs):
“beneficial owners of pooled accounts held by notaries and other independent legal professionals from the Member States, or from third countries provided that they are subject to requirements to combat money laundering or terrorist financing consistent with international standards and are supervised for compliance with those requirements and provided that the information on the identity of the beneficial owner is available, on request, to the institutions that act as depository institutions for the pooled accounts.”
This express provision is no longer applicable. Member states may allow obliged entities to apply simplified due diligence measures (SDD), however pooled client accounts are not mentioned in Annex II of the directive.
Enhanced customer due diligence (EDD)
In cases of higher risk, obliged entities must apply enhanced customer due diligence (EDD) measures to manage and mitigate those risks. Under the directive, there are certain situations that will always trigger the application of EDD and there are other circumstances that will trigger EDD measures in a given case. Those other circumstances are identified (non-exhaustively) in Annex III (see page 14 of this regulatory briefing) to the directive. Further, following a careful consideration of the background and purpose of complex and unusually large transactions, and unusual patterns of transactions, which have no apparent economic or lawful purpose, obliged entities are to increase the degree and nature of monitoring of the business relationship in order to determine whether these transactions or activities appear suspicious.
In addition, the European Commission is compiling a list of high-risk third countries with strategic deficiencies in their AML/CFT regimes. The Commission will also provide detailed measures that obliged entities should apply to individuals and businesses that are established in these countries.
The European Supervisory Authority (ESA) provides guidelines on appropriate measure for high-risk situations, including on establishing the source of wealth and funds and how obliged entities may choose to monitor transactions in high-risk relationships.
Reliance on third parties
Ultimate responsibility remains with the obliged entity; however an obliged entity may rely on third parties to meet the CDD requirements. The ability to rely on the member organisation or federations of those obliged entities is new, and a change from the Third Anti-Money Laundering Directive. It must also be noted that in high-risk jurisdictions a third-party cannot be relied upon.
In respect of the third parties that are not based in a high-risk third country, the 4MLD permits reliance on:
- certain obliged entities
- the member organisations or federations of those obliged entities
- other institutions or persons situated in an EU Member State or third country that applies customer due diligence and record-keeping requirements consistent with those in the directive and have their compliance with the requirements of the directive supervised in an appropriate manner
Where third parties are relied on, the obliged entity must obtain the necessary information concerning the CDD requirements from that third party. The obliged entity must take adequate steps to ensure the third party provides, immediately on request, relevant copies of identification and verification data, as well as other relevant documentation on the identity of the customer or the beneficial owner.
Assessment of risks and controls
Obliged entities must have controls in place to identify and assess the money laundering/terrorist financing risks. These controls must be proportionate to the nature and size of the obliged entities.
These controls include:
- the development of internal policies, controls and procedures, including risk management practices, customer due diligence, reporting, record-keeping, internal control, compliance management, including – where appropriate in terms of the nature and size of the business – the appointment of a compliance officer at management level, and screening employees
- where appropriate in relation to the size and nature of the business, an independent audit function to test the internal policies, controls and procedures referred to above.
- approval from senior management for the policies, controls and procedures that are put in place, including monitoring and enhancing the measures taken, where appropriate.
Electronic money risk categorisation
The National Risk Assessment (NRA) identifies the money laundering risk associated with e-money products as medium, however the terrorist financing risk associated with e-money is low.
Certain low risk e-money products can be exempted from aspects of customer due diligence measures. These exemptions can be applied to non-reloadable instruments with a maximum stored value of EUR 250, or reloadable instruments where the maximum monthly payment transaction limit of EUR 250 can be used only in that Member State.
New requirement correspondent banking
The directive outlines new requirements for correspondent relationships and also requires the application of enhanced due diligence to non-EEA correspondent banking relationships. In line with the 2012 FATF Recommendations, Article 3(8) of the directive defines a ‘correspondent relationship’ as:
“(a) the provision of banking services by one bank as the correspondent to another bank as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
(b) the relationships between and among credit institutions and financial institutions including where similar services are provided by a correspondent institution to a respondent institution, and including relationships established for securities transactions or funds transfers;”
Application of enhanced due diligence (EDD)
Due to a number of factors such as speed, volume of transactions, accuracy and efficiency, correspondent banking leaves a bank vulnerable to money laundering.
Thus, when undertaking cross-border correspondent relationships with non-EEA respondent institutions, enhanced due diligence measures should be taken in addition to CDD measures. This includes responsibility to:
- gather sufficient information about the respondent institution to fully understand the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision
- assess the respondent institution’s AML/CFT controls
- obtain approval from senior management before establishing new correspondent relationships
- document the respective responsibilities of each institution
- with respect to payable-through accounts, be satisfied that the respondent institution has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent institution, and that it is able to provide relevant customer due diligence data to the correspondent institution, upon request
Widening definition of Politically Exposed Persons
The directive broadens the AML/CFT requirements in relation to PEPs. PEP now means a natural person who is, or who has been, entrusted with a prominent public function. There is no longer a distinction between domestic or foreign PEPs, therefore all are subject to EDD.
The removal of this distinction is due to the consideration that a domestic PEP can often present a higher risk than foreign PEPs. Because of the differing risk levels amongst countries and individuals, a tailored and proportionate approach is required in regards to the application of EDD.
A non-exhaustive list of natural persons deemed as PEPs is as follows:
- heads of State, heads of government, ministers and deputy or assistant ministers
- members of parliament or of similar legislative bodies
- members of the governing bodies of political parties
- members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances
- members of courts of auditors or of the boards of central banks
- ambassadors, chargés d’affaires and high-ranking officers in the armed forces
- members of the administrative, management or supervisory bodies of State-owned enterprises
- directors, deputy directors and members of the board or equivalent function of an international organisation
What will obliged entities have to do to comply with the directive?
In addition to the CDD measures, obliged entities will need to:
- have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a PEP
- apply the following measures in cases of business relationships with politically exposed persons:
- obtain senior management approval for establishing or continuing business relationships with such persons
- take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons
- conduct enhanced, ongoing monitoring of those business relationships
Introduction of Central Register for Beneficial Ownership
The directive now requires all Member States to implement a central register in order to hold all information on beneficial ownership for corporate and other legal entities incorporated within their territory. The UK is set to establish a public register of company beneficial ownership for foreign companies who already own or buy property in the UK, or who bid on UK central government contracts. The following points will expand on the key considerations regarding beneficial ownership.
Providing beneficial ownership information to the central register
The People with Significant Control (PSC) regime being introduced in 2016 will require entities in scope to hold their PSC information on their own register. PSC entities will need to update their own register on a regular basis and update the central register at Companies House annually.
Requirements for other types of legal entity
The directive’s requirements apply to a wide range of corporate and other legal entities. The PSC regime being introduced in the UK in 2016 will apply to most companies, Limited Liability Partnerships (LLPs) and Societas Europaeae (SEs).
Types of entity that are viewed as falling within the scope to register information on beneficial ownership:
- European Economic Interest Groupings
- Unregistered Companies
- Open Ended Investment Companies (OEICs)
- Investment Companies with Variable Capital
- Co-operative/ community benefit societies
- Building Societies
- Friendly Societies
- Credit Unions
- European Cooperative Society (SCE)
- Charitable Incorporated Organisations (CIOs)
- European Groupings of Territorial Cooperation (EGTC)
- Scottish Partnerships and Scottish Limited Partnerships
- Royal Chartered Bodies
Information requirements of trust beneficial ownership
Article 31 of the directive stipulates that Member States shall require trustees of any express trust governed under their law (whether the trust generates tax consequences or not) to obtain and hold adequate, accurate and up-to-date information on beneficial ownership of the trust and make this information available to competent authorities and Financial Intelligence Units (FIUs).
The government views the requirements of Article 31 in relation to the UK as follows:
- governed under UK law means trusts administered in the UK and non-resident trusts with a UK source income
- the trustee is to obtain and hold adequate, current and up-to-date information on trust beneficial ownership
- the trustee is to provide the trust beneficial ownership information to also be held in the central register when the trust generates tax consequences
- tax consequences means trusts that are liable to tax in the UK and are required to submit tax returns to HMRC, such as for income tax, capital gains tax and inheritance tax
- the trustee, in all cases, must give HMRC and the NCA timely access to the trust beneficial ownership information. This will be achieved through an appropriate notification to the trustee
- timely and unrestricted access to the central register, without alerting the parties to the trust concerned, will be given by HMRC to the NCA
- similar arrangements to trusts means those that include fiducie, treuhand, fideicomiso, Usufruct, Anstalt and Stiftungs
Requirements for trustees
Beneficial ownership information must be adequate, accurate, up-to-date, and include the identities of the following:
- the settlor
- the trustee(s)
- the protector (if any)
- the beneficiaries or class of beneficiaries
- any other natural person exercising effective control over the trust
Building on the reporting mechanism
When a trust generates tax consequences, this means the trust generates a liability to income tax or capital gains tax or when the trust generates inheritance tax liabilities. Where a tax consequence occurs, trustees must provide updated information to HMRC in a prescribed form.
Increased Reporting Obligations
The 4MLD contains requirements for obliged entities, and where applicable, their directors and employees to promptly report suspicious transactions, including attempted transactions when they know, suspect or have reasonable grounds to suspect that funds are the proceeds of criminal activity or are related to terrorist financing.
Obliged entities need to retain documents necessary to comply with CDD for a period of 5 years after the end of the business relationship or occasional transaction. They are also required to retain supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings, which are necessary to identify transactions, for 5 years after the end of a business relationship or occasional transaction. This can be extended for a further 5 years following a thorough assessment of the necessity and proportionality of such further retention and if it is justified as being necessary for the prevention, detection or investigation of money laundering or terrorist financing.
Supervision of obliged entities
The directive requires supervisors to ensure that obliged entities are monitored effectively and that they take appropriate measures to comply with the directive. It also requires supervisors to ensure that the individuals who hold a management function within certain entities, or are the beneficial owners of such entities, are fit and proper persons, or in other sectors, the person or their associates do not hold a criminal conviction.
The UK has 27 supervisors, a mixture of self-regulatory bodies and regulators. The Treasury is responsible for the appointment and removal of supervisors, and the MLR 2007 set the role of the supervisors and gives them appropriate powers to effectively monitor their respective sectors. The supervisors in the UK are a highly diverse group including large global professional bodies, smaller professional and representative bodies, as well as public sector organisations. In each area of supervision, the supervisor’s approach needs to be proportionate to the nature and associated risks of the members being supervised.
The current registration conditions vary for each sector and are set out in the Regulations. The government proposes that, where registration is a requirement, all supervisors are given an express power to refuse to register or to cancel an existing registration, for example, where:
- the supervisor is not satisfied that an entity is in a position to meet its AML/CFT and other legal obligations (for example adequate policies and procedures are not in place)
- the supervisor is of the view that a business is an artificial construct disguising criminal intentions
- the member has failed to comply with the MLR 2007.
- the member has failed to pay a penalty that has been imposed under the MLR 2007.
A supervisor will also be granted the ability to add conditions to a registration, or suspend an existing registration.
The directive will require the U.K. to hold entities liable for breaches. Where there are serious, repeated, systemic or a combination of thereof, breaches of customer due diligence, suspicious activity reporting, record-keeping and internal controls, the directive requires the U.K. to make available, at least, the following sanctions and measures:
- a public statement identifying the natural or legal person and the nature of the breach
- an order requiring the natural or legal person to cease the conduct and not to repeat it
- where an obliged entity is subject to an authorisation, withdrawal or suspension of the authorisation
- a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities
- sanctions for financial institutions:
- in the case of a legal person, maximum administrative pecuniary sanctions of at least EUR 5,000,000 or 10% of the total annual turnover according to the latest available accounts approved by the management body with different provisions made for the calculation of the annual turnover in respect of a parent undertaking or a subsidiary of a parent undertaking, or
- in the case of a natural person, maximum administrative pecuniary sanctions of at least EUR 5,000 000
Currently, the government does not plan on setting an upper limit to the administrative pecuniary sanction. It is deemed preferable for the incidents to be dealt with on a case-by-case basis in order to ensure the adequate measure or sanction is applied.
The U.K. government is currently reviewing all submitted views in regards to the consultation paper and will publish draft regulations for a further four week consultation. Final policy decisions on how to transpose the directive will then be made. After this, the Treasury will explain why it has reached these policy decisions in the government response to this consultation.
New legislation will need to be made, and provision in existing legislation modified and amended. The government will only “gold-plate” (go further than) the directive where there is good evidence that a material ML/TF risk exists that must be addressed.
As always, please contact a member of the CPA Audit team if you have any queries regarding the changes outlined within this regulatory bulletin.
The following is a non-exhaustive list of risk variables that obliged entities shall consider when determining to what extent to apply customer due diligence measures in accordance with Article 13(3) of the Fourth Money Laundering Directive:
i) the purpose of an account or relationship;
ii) the level of assets to be deposited by a customer or the size of transactions undertaken;
iii) the regularity or duration of the business relationship.
The following is a non-exhaustive list of factors and types of evidence of potentially lower risk referred to in Article 16 of the Fourth Money Laundering Directive:
- Customer risk factors:
- public companies listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means), which impose requirements to ensure adequate transparency of beneficial ownership;
- public administrations or enterprises;
- customers that are resident in geographical areas of lower risk
- Product, service, transaction or delivery channel risk factors:
- life insurance policies for which the premium is low;
- insurance policies for pension schemes if there is no early surrender option and the policy cannot be used as collateral;
- a pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member’s interest under the scheme;
- financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes;
- products where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership (e.g. certain types of electronic money).
- Geographical risk factors:
- Member States
- third countries having effective AML/CFT systems;
- third countries identified by credible sources as having a low level of corruption or other criminal activity;
- third countries which, on the basis of credible sources such as mutual evaluations, detailed assessment reports or published follow-up reports, have requirements to combat money laundering and terrorist financing.
The following is a non-exhaustive list of factors and types of evidence of potentially higher risk referred to in Article 18(3) of the Fourth Money Laundering Directive:
- Customer risk factors
- the business relationship is conducted in unusual circumstances;
- customers that are resident in geographical areas of higher risk as set out in point (3);
- legal persons or arrangements that are personal asset-holding vehicles;
- companies that have nominee shareholders or shares in bearer form;
- businesses that are cash-intensive;
- the ownership structure of the company appears unusual or excessively complex given the nature of the company’s business;
- Product, service, transaction or delivery channel risk factors:
- private banking;
- products or transactions that might favour anonymity;
- non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures;
- payment received from unknown or unassociated third parties;
- new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products;
- Geographical risk factors:
- without prejudice to Article 9, countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective AML/CFT systems;
- countries identified by credible sources as having significant levels of corruption or other criminal activity;
- countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the United Nations;
- countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country.
© CPA Audit LLP 2019.