In July 2021, the EU announced that it would strengthen its anti-money laundering (AML) and counter-financing of terrorism (CFT) framework by implementing a major legislative package across the bloc. The package will build on regulations introduced in the EU’s Anti-Money Laundering Directives (AMLD) with the goal of further harmonising member states’ AML/CFT legislative environments. Amongst the proposals included in the package is a plan to establish an EU-wide AML/CFT Authority (AMLA) as a centralised supervisory body.
The EU has set an implementation date of 2024 for AMLA, which means that banks and financial institutions across the region must understand how the new authority will function when it begins operations and how it will affect their AML/CFT responsibilities.
European Banking Authority – EBA Report
The AMLA announcement came in light of growing concerns that the EU needs to do more to address the challenges of risk-based AML/CFT supervision across the region. In 2019, the European Banking Authority (EBA) initiated an assessment of competent authorities’ AML/CFT approaches in EU member states. The results of that assessment were released in 2022, and revealed that ‘significant challenges remain in important areas such as the identification and assessment of money laundering and terrorist financing risks.’
The EBA identified a number of common supervisory challenges, including:
- Identifying money laundering risks in the banking sector.
- Translating assessments of money laundering risks into risk-based supervisory strategies.
- Using resources to ensure effective AML/CFT supervision.
- Taking proportionate enforcement measures to correct AML/CFT compliance weaknesses.
- Ensuring effective cooperation between member states’ FIUs.
What Will AMLA Do?
The Anti-Money Laundering Authority is a component of the EU’s comprehensive policy on preventing money laundering and terrorism financing. In practice, AMLA will have two main areas of AML/CFT focus:
- AML/CFT supervision
- Support for member state Financial Intelligence Units (FIU)
In its supervisory role, AMLA will carry out periodic reviews of the financial authorities that it supervises, monitoring and supporting financial institutions and ensuring the harmonised application of EU AML/CFT regulations. The manner in which AMLA exerts its regulatory power will vary by the level of AML/CFT risk that financial institutions present, and constitute both direct and indirect supervision.
AMLA will take a direct supervisory role with EU financial institutions that pose a particularly high AML/CFT risk. This category of institution is referred to as ‘Selected Obligated Entities’.
Selected Obligated Entities will be designated according to a range of criteria, including how many EU member states a particular entity is established in. For example:
- Credit institutions that are established in 7 EU member states or more (including as subsidiaries or branches)
- Financial institutions that operate in 10 EU member states or more (including as subsidiaries or branches)
Selected Obligated Entities will also be designated according to certain benchmark risk indicators, such as:
- The number of high risk customers, such as politically exposed persons (PEPs), that they do business with.
- The volume of products and services they trade in that have AML/CFT vulnerabilities.
- The volume of deposit and payment account services that they provide.
- The volume of correspondent banking services that they provide to third parties.
- The volume of correspondent banking clients from high risk third countries that they do business with.
- The volume of activity that they engage in with virtual asset service providers in third countries.
AMLA’s direct supervisory authority gives it the power to conduct investigations into Selected Obligated Entities, demand the submission of documents, conduct interviews, and perform on-site inspections. Where AMLA discovers compliance violations or AML/CFT deficiencies, it may:
- Request a plan detailing how the entity will achieve AML/CFT compliance.
- Place restrictions on the entity’s business operations.
- Impose changes to the entity’s governance structure.
- Withdraw licences.
Penalties: AMLA may also impose penalties on the entities that it supervises. AMLA financial penalties may be imposed up to a maximum of 10% of the entity’s previous annual turnover, or €10 million. AMLA may also refer certain matters to the relevant national authorities in cases where it is possible to prove criminal activity.
AMLA will have an indirect supervisory role with non-Selected Obligated Entities via their national financial authorities. When the AML/CFT compliance performance of these entities degrades significantly, national financial authorities will be required to notify AMLA, which may then request an investigation or the imposition of sanctions. In some cases, AMLA may request national authorities grant it direct supervision over the noncompliant entities.
Beyond any need for intervention, AMLA will exercise indirect supervision on an ongoing basis by maintaining a harmonised AML methodology in member states. With this in mind, AMLA will set out guidelines and make recommendations for risk-based AML/CFT, perform periodic assessments of national supervisors, and even conduct reviews of non-financial supervisory authorities.
Risk Assessments and AMLA
AMLA’s supervisory focus is intended to promote a harmonised regulatory environment across the EU, with member states categorising financial institutions by their exposure to AML/CFT risk and imposing risk-based compliance requirements on those institutions. Following Financial Action Task Force (FATF) guidance, risk-based AML is predicated on a need to perform effective assessments of customers and their transactions in order to build accurate risk profiles. Risk assessments should take place at onboarding and then throughout the business relationship to capture changes in risk.
With that in mind, firms should prioritise the following processes as part of their risk-based approach:
- Customer due diligence: EU banks and financial institutions must understand who their customers are in order to perform accurate risk assessments. In practice, this means performing suitable customer due diligence (CDD) by collecting data such as names, addresses, dates of birth, and company incorporation details.
- Ultimate beneficial ownership: Money launderers may attempt to use corporate structures or shell companies to conceal their identities. Accordingly, EU firms should establish ultimate beneficial ownership (UBO) of customer entities as part of their CDD process in order to inform their risk assessments.
- Enhanced due diligence: Higher risk customers, or customers that generate certain AML alerts as a result of a risk assessment, should be subject to enhanced due diligence (EDD) measures, including more intensive screening and monitoring procedures.
- PEP screening: Elected officials and government employees present a higher AML/CFT risk and may be classified as politically exposed persons (PEPs). Firms should screen their customers to establish whether they should be classified as PEPs and monitor their status for any changes in risk.
- Sanctions screening: Firms should screen customers against sanctions lists to establish whether they are subject to international sanctions restrictions. In practice this means checking names against the EU sanctions list, and other relevant lists, such as the UK sanctions list, and the US OFAC sanctions list.
- Adverse media monitoring: Changes to customer risk profiles may be revealed in global news media. With that in mind, firms should monitor adverse media sources from across the world for stories that involve their customers. Adverse media monitoring is one of the best ways to enhance the risk assessment process since customer risk exposures may be revealed in news stories prior to their confirmation by official sources.
AMLA and Financial Intelligence Units
AMLA’s AML/CFT support focus means that it will coordinate with member states’ Financial Intelligence Units to facilitate cross-border cooperation. Practically, AMLA’s support role will include:
- The release of guidelines and recommendations to member states’ supervisory authorities and to regulated entities.
- The introduction of templates and models for suspicious activity reporting.
- Participation in joint analysis of cross-border suspicious activity.
- The introduction of a secure network between EU FIUs known as FIU.net.
AMLA is expected to be operational by 2024 which means that firms should begin preparing now to meet the challenges of a new compliance environment. Effective, risk-based AML requires the strategic application of technology: firms must be able to capture a vast amount of customer and transaction data, and perform ongoing monitoring to detect changes in risk profiles. With that in mind, Ripjar’s next generation AML solutions are designed to identify and manage risks in real time, and help firms adjust to new threats and obligations as they emerge.