The 2021 EU AML Package

While these measures have not yet made it into actual laws or regulations, banks and other obliged entities should expect AML/CFT regulation in Europe to evolve drastically in the near future.

The 2021 EU AML package includes four legislative proposals:

• A new regulation that implements the creation of a new EU AML Authority (AMLA), which will act as the single AML supervisor across the EU single market
• A 6th AML Directive, which sets out rules and arrangements to implement for Member States’ national supervisors and financial intelligence units
• An update to the so-called Fund Transfer Regulation (Regulation 2015/847), extending its scope and specifying that crypto asset service providers must share information on payers and beneficiaries in a crypto transfer
• A new Regulation, touted as the EU “Single Rulebook” – a set of preventative measures, directly binding on obliged entities operating in the EU.

The Single Rulebook is certainly the most significant development for the private sector, as it effectively closes any remaining gaps in national AML regulations and brings together and codifies a set of AML/CFT preventative measures directly binding on ‘obliged entities’ (meaning banks, life insurance companies, payment service providers, investment firms and some non-financial entities such as lawyers, accountants, real estate agents, casinos, crypto asset service providers, crowdfunding service providers and credit providers that are not financial institutions).

The EU legislative process is underway for these four proposals. A provisional agreement was reached on the changes to the Fund Transfer Regulation in late June 2022, however other proposals, notably the acts establishing the AMLA and the Single Rulebook will likely require further debate and amendments.

“The bottom line is, there is significant political momentum throughout the EU for shaping more effective responses to financial crime challenges,’ says Vincent Gaudel, Financial Crime Compliance Expert at LexisNexis Risk Solutions. “There is a good consensus around most of the proposals, which could become a requirement fairly quickly. It’s essential that financial institutions and other affected organisations pay close attention to the proposals being discussed so they are prepared for what is to come.”

This is particularly true for the single Rulebook, which will once passed become directly binding regulation for all EU obliged entities. Here are some of the trends and the changes to watch:

Strengthening preventative measures: PEP screening and beyond

Regulatory requirements for the detection of business relationships of politically exposed persons (PEPs) have been building through successive Directives:

• Consistent with FATF Recommendations and definitions, the 2005 AML third Directive introduced a definition of PEPs as ‘natural persons who are or have been entrusted with prominent public functions’ and required obliged entities to determine whether their customers were PEPs (PEP family members or close associates were also in scope)
• 10 years later, the fourth Directive extended the scope of PEPs to include domestic PEPs
• Changes introduced through the fifth AML Directive in 2018 called on each EU Member State to define the list of functions which qualified their holders as PEPs. Several EU countries such as Spain, Portugal or Poland have set out national lists of PEP functions.

The proposed Rulebook maintains requirements relating to the detection of relationships with PEPs. “For most obliged entities, PEP screening is a well-established control, and as the Single Rulebook doesn’t change requirements in that area, the handling of PEPs seems to have reached maturity as far as regulators are concerned,” says Gaudel. He adds that while obliged entities need to continue paying careful attention to implementing adequate PEP screening controls, the proposed Rulebook also suggests additional use cases for screening controls.

By introducing formal requirements to account for customer risk variables such as a customer’s reputation or behaviour, the proposed Rulebook clearly makes the case for obliged entities to consider implementing negative news screening. Negative news screening is becoming essential to inform the AML/CFT risk assessment on a customer.

“Negative news screening has been common practice among larger financial institutions for quite some time,” says Gaudel, adding that recent industry guidance such as the Wolfsberg Group’s FAQs on negative news screening were introduced to bring about common market practice, since AML/CFT regulations did not always provide a clear legal basis. The Wolfsberg Group highlights a variety of ways through which negative news screening can add value to financial crime risk management: by helping identifying inconsistencies in a customer’s source of funds narrative, or by informing the ultimate decision to onboard, maintain or exit a customer relationship.

“In its current formulation, the Single Rulebook doesn’t make negative news screening an explicit requirement, but it does introduce much-needed regulatory acknowledgment for negative news screening,” says Gaudel. “Regulators are effectively recognizing the value of negative news screening for the management of financial crime risks and guidance like Wolfsberg’s provides obliged entities with a range of best practices to implement these controls in the most effective way.”

New provisions for outsourcing

As of today, requirements relating to the outsourcing AML/CFT requirements to a non-obliged entity are not part of EU AML legislation. This is likely to change with the Single Rulebook. The Proposal now includes a set of limitations and control requirements applicable to outsourcing arrangements. For example, new limitations are specified and the Proposal states that certain tasks ‘shall not be outsourced under any circumstances’, including:

• Approving the risk assessment
• Drawing up and approving PEP policies, procedures, and controls
• Attributing a risk profile to a customer
• Identifying criteria for the detection of suspicious transactions, and
• Reporting of suspicious activities to the Financial Intelligence Unit.

“It’s also important to remember that the obliged entity itself remains entirely liable for meeting AML/CFT requirements,” says Gaudel. “Even if the process may be outsourced, the risk and liability cannot.”

Balancing AML/CFT with data protection

One important aspect for institutions and an area for EU regulators to consider is data protection. As various provisions in the Single Rulebook require the processing of personal data, privacy requirements laid out in the GDPR need to be accounted for. This is particularly evident in relation to negative news screening, as this may entail processing special categories of personal data (ie, data about racial or ethnic origin, political opinions, religious beliefs, trade union membership, and genetic or biometric data) as well as personal data relating to the individual’s criminal convictions and offences. The GDPR prohibits the processing of this data, except in certain situations such as ‘for reasons of substantial public interest, on the basis of Union or Member State law’. The proposed Rulebook includes the required a legal basis: an obliged entity may process ‘special categories’ of personal data when it is strictly necessary for AML/CFT purposes. However, the Proposal also specifies necessary safeguards when processing such personal data, including the quality of the source data, data security and confidentiality.

Finding the right balance between the need for personal data processing for AML/CFT controls while upholding privacy laws is an area where ongoing discussions are likely to change the shape of the final rules. There are still under intense debate. The European Data Protection Board (EDPB), for example, has expressed concerns about some of the proposals, such as the suggestion that obliged entities should process data relating to allegations of crime, as well as criminal convictions. This presents a high level of risk in terms of data privacy, the EDPB said, and recommended that ‘allegations’ should either be defined clearly or deleted altogether.

Quality data is key

Gaudel stresses that overall, the proposed Rulebook reinforces the vital importance for obliged entities to rely on quality data for their screening controls. “In the absence of a global list of functions for PEPs, for example, a number of commercial databases have developed to help identifying relationships with PEPs,” he says. “But it is important that these databases are handled with care. What is their scope? What sources are monitored? How is data accuracy and completeness verified? and how often is the data refreshed?”

Timely and accurate information is the foundation of a robust, risk-based screening system. In most organisations this will mean a combination of internal data and externally sourced watchlist data. Both must be accurate, credible, relevant, and secure:

Conclusion

The proposals are a clear sign that the pieces of the AML/CFT jigsaw across Europe – and the wider world – are steadily coming together. The upcoming Single Rulebook is of particular significance for streamlining the effectiveness of AML/CFT preventative measures across European obliged entities. Defining a level-playing field in AML/CFT regulations is crucial, as financial criminals are continuously looking for loopholes to misuse the financial system. More than ever, EU obliged entities need to be prepared and equipped to play their part in the collective fight against financial crime.

Screening technology, supported by quality data, is a powerful tool in the fight against financial crime. We work with clients in the financial sector and beyond across the world, providing the expertise, data, and tools they need to meet their compliance obligations efficiently and effectively. Our worldwide reach means that there is always someone available to help and support you when you need it. For more information on our AML screening tools and capabilities, contact us.