Is your business subject to the Anti-Money Laundering (AML) Directive and the subsequent laws and regulations in all EU and EEA countries? Then it’s important that you know your obligations regarding the law, and why it’s even necessary to have a European standard for anti-money laundering initiatives and regulations.
On this page we answer the most frequently asked questions about AML and the Anti-Money Laundering Directive, such as:
- Why do we need Anti-Money Laundering (AML) laws and regulations?
- Which businesses are subject to the Anti-Money Laundering Directive?
- How do EU directives and national laws interact?
- The various regulatory agencies
- What happens if businesses don’t uphold the law?
- Guide to the Anti-Money Laundering Directive
- AML 5: the risk-based approach
- Risk assessment
- Policies
- Business procedures
- Audits and verification
- KYC procedure
- AML 6: New requirements coming
Why do we need Anti-Money Laundering (AML) laws and regulations?
Anti-money laundering laws and regulations exist to prevent money being made from criminal activities being used in the rest of society. Fundamentally, the law exists in order to make it more difficult to commit crimes, such as tax avoidance and financial fraud. The law is also intended to prevent the financing of terrorism.
All EU and EEA countries have their own anti-money laundering laws and regulations. However, they’re all formed by EU directives which are formed and approved by the European Parliament. The EU has, at the current moment, created six different directives regarding money laundering. In technical terminology they’re referred to as AML 1-6. AML is an abbreviation for ‘anti-money laundering.’
EU directive
A directive is a legal act decreed by the European Union. The directives are binding for member states and members of the European Economic Area (EEA). However, the countries themselves decide on how to implement the directive in national laws and regulations.
Which businesses are subject to the Anti-Money Laundering Directive?
Different businesses are subject to the Anti-Money Laundering Directive, among others:
- Law firms
- Accountants
- Real estate managers
- Landlords
- Financial companies
- Service providers
How do EU directive and national laws interact?
Whenever the European Parliament issues a directive, the individual member states have a period where they’re required to implement the directive in local legislation. This typically happens by making adjustments in pre-existing laws and/or issuing new executive orders.
The work involved in implementation typically stretches over a longer period, and not all countries implement the law concurrently or similarly. This creates some debate between countries, as it leads to situations arising where it might be more beneficial to set up a financial license in one place and then delivering your products to the remaining countries.
EU’s expert groups
The development of AML-directives involves a number of different professions, interest groups, legal experts as well as local regulatory agencies.
Meo has since 2015 been represented in one of the EU’s payment systems market expert groups (PSMEG) by our CEO, Christian Visti Larsen, who has assisted in developing AML 5.
Different regulatory agencies
The supervisory or regulatory agency that originally issued a business license will often be the party responsible for ensuring proper supervision and enforcement.
But from country to country, there can be a degree of difference between how regulations are enforced. This makes it more enticing for certain businesses to focus their activities in one country where the supervision is more lax – and thereafter selling their wares or services to the rest of the countries in the European inner market.
What happens if businesses don’t uphold the law?
There’s a difference between how the individual regulatory agencies communicate the activities and issues they might uncover when supervising businesses.
At times these can be in the form of regulatory AML reports that specify criticisms, injunctions and even reports to the police. These reports are typically publicly available on their websites, and it’s often required that the reports are displayed on the businesses’ own websites.
If a business is caught not living up to their obligations, it doesn’t necessarily result in a fine. However, the business will rarely be able to avoid penalties or a trip to the metaphorical pillory. For businesses that depend on their good name and reputation, this can be much worse than a fine.
Penalties
The regulatory agencies can rarely issue fines but they are able to report the company in violation of AML laws to the local police department for criminal financial activities. This then results in a police investigation that can lead to a public trial. However, it’s possible for the agency to issue administrative fines in simple cases where the business admits to wrongdoing.
AML 5: The risk-based approach
The latest directive, AML 5, was passed in 2017 and widely adopted by januar 2020. With this directive we transitioned to a risk-conditional approach to anti-money laundering (AML) precautions – an approach that requires more from businesses’ assessment of their client relations.
Businesses now need to assess the individual risk, from each client, of being used for money laundering or financing of terrorism. Some of the central and fundamental elements in the new AML directive is:
- Risk assessments
- Policies
- Business procedures
It’s all up to the business to develop and implement these requirements. Below, we explain what each element entails. Furthermore, you need to create a description of how you audit and supervise each activity, so you’re certain the law is being upheld.
The risk-based approach results in a much greater focus on verification of identity and ongoing KYC checks.
Risk assessment
Businesses subject to the Anti-Money Laundering Directive have to create risk assessments that identify and evaluate every perceived risk associated with individual clients, products, delivery channels and business activities.
To create a risk assessment, the business needs to:
- Consider the risk, from client to client, of being exploited for money laundering or the financing of terrorism. This is also called CDD (Customer Due Diligence).
- Be able to explain and justify the assessment and precautions to the relevant regulatory agency.
- Make a Risk Assessment that includes the business’ precautions and safeguards in relation to the prevention of money laundering.
You could, for example, end up concluding that there is an elevated risk connected with clients living abroad. This risk is dependent on which country the client resides. Based on this information you can evaluate whether you need further documentation from the client. For instance, you could demand to see a copy of their passport or birth certificate. If the businesses’ services allow for people or entities to become clients without physical meetings, you can also decide that this requires a need for further documentation.
Risk assessment
Risk assessments are structured approaches wherein you attempt to, objectively and fairly, assess clients individually. That requires differential treatment.
Policies
A business’ policies describe their overall appetite for risk. This policy will often include descriptions of:
- Which types of clients you want to do business with
- Which types of clients you don’t want to do business with
It will typically be management who outline and develop these policies which are then approved by the board of directors. One of the primary reasons for this is that it forces leaders to acknowledge and actively decide on the risks associated with running the business. In this way no one in the business can acquiesce their responsibilities or wash their hands of wrongdoing if problems arise.
Policies also define the area within which the employees operate without needing constant approval from upper management.
A business’ policies describe their overall approach and capacity for risk. Policies are created by upper management and approved by the board of directors.
Business procedures
Briefly, a business procedure is a written process for how you, as an employee or business, need to conduct yourself in specific, well-defined situations.
A business procedure:
- gives you an overview of the risks you consider to be present with different groups of clients or customers.
- describes the actions you have taken to mitigate this risk.
Example
If you have a client residing abroad, you can use the risk assessment to evaluate whether this constitutes an elevated risk that your business is being misused for money laundering or the financing of terrorism.
This is the perceived risk the business incurs if they take on the client. To be able to accept said risk the business procedure needs to demand a more thorough verification of the client. In addition to a standard KYC check, you can demand notarized copies of passports, or request additional information regarding the business venture.
Furthermore, a business procedure will also contain information regarding when and how you report misconduct to a regulatory agency, such as when you suspect financial malfeasance.
Audits and verification
Audits and verification always have to be documented. It’s useless to perform verification if you can’t subsequently prove it took place.
A typical mistake in this process involves manual verification of copies of passports or driver’s licenses. To counter this, a business procedure could prescribe that the employee has to go through the documents and ensure that the ID is valid and of such a quality that they can subsequently identify the client. But if there’s no documentation that this has happened, the audit is not considered to have transpired regardless of whether or not the employee actually looked through the documents.
KYC check
A KYC check is also performed on the basis of the risk assessment and the identified risks. This is also known as KYC or “Know Your Customer.”
Depending on the perceived risks, you can either perform an enhanced or regular check. KYC requires obtaining identifying personal data about the client. Typically, these will include:
- Name and Social Security Number or Legal Entity Identifier (LEI), depending on whether the client is an individual or another business/organization.
This identifying information needs to be verified via a reliable independent source. That means you need to verify documents and compare them to publicly available information and databases that can validate addresses, passports or names.
KYC Check
Describes how the business conducts itself in order to get to know their customers/clients. KYC is an abbreviation for “Know Your Customer.”
AML 6: New requirements coming
All the previous requirements have a common denominator: they require established procedures and verification processes on each individual client. A secure procedure and verification of client relations can only be ensured if there’s sufficient documentation that it took place.
If you don’t follow the rules it can have grave repercussions for your business. Aside from the already comprehensive demands, you can be subject to increased supervision and thus further requirements. This is a field with a massive political and societal interest and scrutiny, which is why it’s just good business to know the rules and be at the forefront.
The latest edition, AML 6, is scheduled to be implemented in all member states by December 3rd 2020 and go into effect for business by June 3rd 2021. With AML 6 multiple elements will be expanded upon with an emphasis on fines and sanctions.
Meo – steer clear of money laundering with our easy and safe AML solution
As you’ve probably noticed, there are a lot of requirements for businesses when it comes to AML and anti-money laundering laws and regulations. Are you on top of your AML procedures and approaches?
If not, Meo can help.
Meo is a software platform that can help you with AML compliance in addition to a number of other services.
With Meo you can:
- Automatically screen clients via PEP-lists
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
