02015L0849 — EN — 30.06.2021 — 002.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
DIRECTIVE (EU) 2015/849 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141 5.6.2015, p. 73) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
DIRECTIVE (EU) 2018/843 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 30 May 2018 |
L 156 |
43 |
19.6.2018 |
|
DIRECTIVE (EU) 2019/2177 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 18 December 2019 |
L 334 |
155 |
27.12.2019 |
DIRECTIVE (EU) 2015/849 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 20 May 2015
on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC
(Text with EEA relevance)
CHAPTER I
GENERAL PROVISIONS
SECTION 1
Subject-matter, scope and definitions
Article 1
For the purposes of this Directive, the following conduct, when committed intentionally, shall be regarded as money laundering:
the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person's action;
the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;
the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;
participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points (a), (b) and (c).
Article 2
This Directive shall apply to the following obliged entities:
credit institutions;
financial institutions;
the following natural or legal persons acting in the exercise of their professional activities:
auditors, external accountants and tax advisors, and any other person that undertakes to provide, directly or by means of other persons to which that other person is related, material aid, assistance or advice on tax matters as principal business or professional activity;
notaries and other independent legal professionals, where they participate, whether by acting on behalf of and for their client in any financial or real estate transaction, or by assisting in the planning or carrying out of transactions for their client concerning the:
buying and selling of real property or business entities;
managing of client money, securities or other assets;
opening or management of bank, savings or securities accounts;
organisation of contributions necessary for the creation, operation or management of companies;
creation, operation or management of trusts, companies, foundations, or similar structures;
trust or company service providers not already covered under point (a) or (b);
estate agents including when acting as intermediaries in the letting of immovable property, but only in relation to transactions for which the monthly rent amounts to EUR 10 000 or more;
other persons trading in goods to the extent that payments are made or received in cash in an amount of EUR 10 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
providers of gambling services;
providers engaged in exchange services between virtual currencies and fiat currencies;
custodian wallet providers;
persons trading or acting as intermediaries in the trade of works of art, including when this is carried out by art galleries and auction houses, where the value of the transaction or a series of linked transactions amounts to EUR 10 000 or more;
persons storing, trading or acting as intermediaries in the trade of works of art when this is carried out by free ports, where the value of the transaction or a series of linked transactions amounts to EUR 10 000 or more.
Among the factors considered in their risk assessments, Member States shall assess the degree of vulnerability of the applicable transactions, including with respect to the payment methods used.
In their risk assessments, Member States shall indicate how they have taken into account any relevant findings in the reports issued by the Commission pursuant to Article 6.
Any decision taken by a Member State pursuant to the first subparagraph shall be notified to the Commission, together with a justification based on the specific risk assessment. The Commission shall communicate that decision to the other Member States.
Member States may decide that persons that engage in a financial activity on an occasional or very limited basis where there is little risk of money laundering or terrorist financing do not fall within the scope of this Directive, provided that all of the following criteria are met:
the financial activity is limited in absolute terms;
the financial activity is limited on a transaction basis;
the financial activity is not the main activity of such persons;
the financial activity is ancillary and directly related to the main activity of such persons;
the main activity of such persons is not an activity referred to in points (a) to (d) or point (f) of paragraph 1(3);
the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public.
The first subparagraph shall not apply to persons engaged in the activity of money remittance as defined in point (13) of Article 4 of Directive 2007/64/EC of the European Parliament and of the Council ( 2 ).
Article 3
For the purposes of this Directive, the following definitions apply:
‘credit institution’ means a credit institution as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council ( 3 ), including branches thereof, as defined in point (17) of Article 4(1) of that Regulation, located in the Union, whether its head office is situated within the Union or in a third country;
‘financial institution’ means:
an undertaking other than a credit institution, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council ( 4 ), including the activities of currency exchange offices (bureaux de change);
an insurance undertaking as defined in point (1) of Article 13 of Directive 2009/138/EC of the European Parliament and of the Council ( 5 ), insofar as it carries out life assurance activities covered by that Directive;
an investment firm as defined in point (1) of Article 4(1) of Directive 2004/39/EC of the European Parliament and of the Council ( 6 );
a collective investment undertaking marketing its units or shares;
an insurance intermediary as defined in point (5) of Article 2 of Directive 2002/92/EC of the European Parliament and of the Council ( 7 ) where it acts with respect to life insurance and other investment-related services, with the exception of a tied insurance intermediary as defined in point (7) of that Article;
branches, when located in the Union, of financial institutions as referred to in points (a) to (e), whether their head office is situated in a Member State or in a third country;
‘property’ means assets of any kind, whether corporeal or incorporeal, movable or immovable, tangible or intangible, and legal documents or instruments in any form including electronic or digital, evidencing title to or an interest in such assets;
‘criminal activity’ means any kind of criminal involvement in the commission of the following serious crimes:
terrorist offences, offences related to a terrorist group and offences related to terrorist activities as set out in Titles II and III of Directive (EU) 2017/541 ( 8 );
any of the offences referred in Article 3(1)(a) of the 1988 United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances;
the activities of criminal organisations as defined in Article 1(1) of Council Framework Decision 2008/841/JHA ( 9 );
fraud affecting the Union's financial interests, where it is at least serious, as defined in Article 1(1) and Article 2(1) of the Convention on the protection of the European Communities' financial interests ( 10 );
corruption;
all offences, including tax crimes relating to direct taxes and indirect taxes and as defined in the national law of the Member States, which are punishable by deprivation of liberty or a detention order for a maximum of more than one year or, as regards Member States that have a minimum threshold for offences in their legal system, all offences punishable by deprivation of liberty or a detention order for a minimum of more than six months;
‘self-regulatory body’ means a body that represents members of a profession and has a role in regulating them, in performing certain supervisory or monitoring type functions and in ensuring the enforcement of the rules relating to them;
‘beneficial owner’ means any natural person(s) who ultimately owns or controls the customer and/or the natural person(s) on whose behalf a transaction or activity is being conducted and includes at least:
in the case of corporate entities:
the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, or through control via other means, other than a company listed on a regulated market that is subject to disclosure requirements consistent with Union law or subject to equivalent international standards which ensure adequate transparency of ownership information.
A shareholding of 25 % plus one share or an ownership interest of more than 25 % in the customer held by a natural person shall be an indication of direct ownership. A shareholding of 25 % plus one share or an ownership interest of more than 25 % in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s), shall be an indication of indirect ownership. This applies without prejudice to the right of Member States to decide that a lower percentage may be an indication of ownership or control. Control through other means may be determined, inter alia, in accordance with the criteria in Article 22(1) to (5) of Directive 2013/34/EU of the European Parliament and of the Council ( 11 );
if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), the natural person(s) who hold the position of senior managing official(s), the obliged entities shall keep records of the actions taken in order to identify the beneficial ownership under point (i) and this point;
in the case of trusts, all following persons:
the settlor(s);
the trustee(s);
the protector(s), if any;
the beneficiaries or where the individuals benefiting from the legal arrangement or entity have yet to be determined, the class of persons in whose main interest the legal arrangement or entity is set up or operates;
any other natural person exercising ultimate control over the trust by means of direct or indirect ownership or by other means;
in the case of legal entities such as foundations, and legal arrangements similar to trusts, the natural person(s) holding equivalent or similar positions to those referred to in point (b);
‘trust or company service provider’ means any person that, by way of its business, provides any of the following services to third parties:
the formation of companies or other legal persons;
acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;
providing a registered office, business address, correspondence or administrative address and other related services for a company, a partnership or any other legal person or arrangement;
acting as, or arranging for another person to act as, a trustee of an express trust or a similar legal arrangement;
acting as, or arranging for another person to act as, a nominee shareholder for another person other than a company listed on a regulated market that is subject to disclosure requirements in accordance with Union law or subject to equivalent international standards;
‘correspondent relationship’ means:
the provision of banking services by one bank as the correspondent to another bank as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
the relationships between and among credit institutions and financial institutions including where similar services are provided by a correspondent institution to a respondent institution, and including relationships established for securities transactions or funds transfers;
‘politically exposed person’ means a natural person who is or who has been entrusted with prominent public functions and includes the following:
heads of State, heads of government, ministers and deputy or assistant ministers;
members of parliament or of similar legislative bodies;
members of the governing bodies of political parties;
members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
members of courts of auditors or of the boards of central banks;
ambassadors, chargés d'affaires and high-ranking officers in the armed forces;
members of the administrative, management or supervisory bodies of State-owned enterprises;
directors, deputy directors and members of the board or equivalent function of an international organisation.
No public function referred to in points (a) to (h) shall be understood as covering middle-ranking or more junior officials;
‘family members’ includes the following:
the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person;
the children and their spouses, or persons considered to be equivalent to a spouse, of a politically exposed person;
the parents of a politically exposed person;
‘persons known to be close associates’ means:
natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person;
natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.
‘senior management’ means an officer or employee with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the board of directors;
‘business relationship’ means a business, professional or commercial relationship which is connected with the professional activities of an obliged entity and which is expected, at the time when the contact is established, to have an element of duration;
‘gambling services’ means a service which involves wagering a stake with monetary value in games of chance, including those with an element of skill such as lotteries, casino games, poker games and betting transactions that are provided at a physical location, or by any means at a distance, by electronic means or any other technology for facilitating communication, and at the individual request of a recipient of services;
‘group’ means a group of undertakings which consists of a parent undertaking, its subsidiaries, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU;
‘electronic money’ means electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC, but excluding monetary value as referred to in Article 1(4) and (5) of that Directive;
‘shell bank’ means a credit institution or financial institution, or an institution that carries out activities equivalent to those carried out by credit institutions and financial institutions, incorporated in a jurisdiction in which it has no physical presence, involving meaningful mind and management, and which is unaffiliated with a regulated financial group;
‘virtual currencies’ means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically;
‘custodian wallet provider’ means an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.
Article 4
Article 5
Member States may adopt or retain in force stricter provisions in the field covered by this Directive to prevent money laundering and terrorist financing, within the limits of Union law.
SECTION 2
Risk assessment
Article 6
To that end, the Commission shall, by 26 June 2017, draw up a report identifying, analysing and evaluating those risks at Union level. Thereafter, the Commission shall update its report every two years, or more frequently if appropriate.
The report referred to in paragraph 1 shall cover at least the following:
the areas of the internal market that are at greatest risk;
the risks associated with each relevant sector including, where available, estimates of the monetary volumes of money laundering provided by Eurostat for each of those sectors;
the most widespread means used by criminals to launder illicit proceeds, including, where available, those particularly used in transactions between Member States and third countries, independently of the identification of a third country as high-risk pursuant to Article 9(2).
Article 7
As regards the risk assessment referred to in paragraph 1, each Member State shall:
use it to improve its AML/CFT regime, in particular by identifying any areas where obliged entities are to apply enhanced measures and, where appropriate, specifying the measures to be taken;
identify, where appropriate, sectors or areas of lower or greater risk of money laundering and terrorist financing;
use it to assist it in the allocation and prioritisation of resources to combat money laundering and terrorist financing;
use it to ensure that appropriate rules are drawn up for each sector or area, in accordance with the risks of money laundering and terrorist financing;
make appropriate information available promptly to obliged entities to facilitate the carrying out of their own money laundering and terrorist financing risk assessments;
report the institutional structure and broad procedures of their AML/CFT regime, including, inter alia, the FIU, tax authorities and prosecutors, as well as the allocated human and financial resources to the extent that this information is available;
report on national efforts and resources (labour forces and budget) allocated to combat money laundering and terrorist financing.
Article 8
The policies, controls and procedures referred to in paragraph 3 shall include:
the development of internal policies, controls and procedures, including model risk management practices, customer due diligence, reporting, record-keeping, internal control, compliance management including, where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at management level, and employee screening;
where appropriate with regard to the size and nature of the business, an independent audit function to test the internal policies, controls and procedures referred to in point (a).
SECTION 3
Third-country policy
Article 9
The Commission is empowered to adopt delegated acts in accordance with Article 64 in order to identify high-risk third countries, taking into account strategic deficiencies in particular in the following areas:
the legal and institutional AML/CFT framework of the third country, in particular:
the criminalisation of money laundering and terrorist financing;
measures relating to customer due diligence;
requirements relating to record-keeping;
requirements to report suspicious transactions;
the availability of accurate and timely information of the beneficial ownership of legal persons and arrangements to competent authorities;
the powers and procedures of the third country’s competent authorities for the purposes of combating money laundering and terrorist financing including appropriately effective, proportionate and dissuasive sanctions, as well as the third country’s practice in cooperation and exchange of information with Member States’ competent authorities;
the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks.
CHAPTER II
CUSTOMER DUE DILIGENCE
SECTION 1
General provisions
Article 10
Article 11
Member States shall ensure that obliged entities apply customer due diligence measures in the following circumstances:
when establishing a business relationship;
when carrying out an occasional transaction that:
amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or
constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council ( 13 ), exceeding EUR 1 000 ;
in the case of persons trading in goods, when carrying out occasional transactions in cash amounting to EUR 10 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
for providers of gambling services, upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to EUR 2 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;
when there are doubts about the veracity or adequacy of previously obtained customer identification data.
Article 12
By way of derogation from points (a), (b) and (c) of the first subparagraph of Article 13(1) and Article 14, and based on an appropriate risk assessment which demonstrates a low risk, a Member State may allow obliged entities not to apply certain customer due diligence measures with respect to electronic money, where all of the following risk-mitigating conditions are met:
the payment instrument is not reloadable, or has a maximum monthly payment transactions limit of EUR 150 which can be used only in that Member State;
the maximum amount stored electronically does not exceed EUR 150;
the payment instrument is used exclusively to purchase goods or services;
the payment instrument cannot be funded with anonymous electronic money;
the issuer carries out sufficient monitoring of the transactions or business relationship to enable the detection of unusual or suspicious transactions.
▼M1 —————
Member States may decide not to accept on their territory payments carried out by using anonymous prepaid cards.
Article 13
Customer due diligence measures shall comprise:
identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council ( 15 ) or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;
identifying the beneficial owner and taking reasonable measures to verify that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer. ►M1 Where the beneficial owner identified is the senior managing official as referred to in Article 3(6)(a) (ii), obliged entities shall take the necessary reasonable measures to verify the identity of the natural person who holds the position of senior managing official and shall keep records of the actions taken as well as any difficulties encountered during the verification process; ◄
assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.
When performing the measures referred to in points (a) and (b) of the first subparagraph, obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and identify and verify the identity of that person.
For life or other investment-related insurance business, Member States shall ensure that, in addition to the customer due diligence measures required for the customer and the beneficial owner, credit institutions and financial institutions conduct the following customer due diligence measures on the beneficiaries of life insurance and other investment-related insurance policies, as soon as the beneficiaries are identified or designated:
in the case of beneficiaries that are identified as specifically named persons or legal arrangements, taking the name of the person;
in the case of beneficiaries that are designated by characteristics or by class or by other means, obtaining sufficient information concerning those beneficiaries to satisfy the credit institutions or financial institution that it will be able to establish the identity of the beneficiary at the time of the payout.
With regard to points (a) and (b) of the first subparagraph, the verification of the identity of the beneficiaries shall take place at the time of the payout. In the case of assignment, in whole or in part, of the life or other investment-related insurance to a third party, credit institutions and financial institutions aware of the assignment shall identify the beneficial owner at the time of the assignment to the natural or legal person or legal arrangement receiving for its own benefit the value of the policy assigned.
Article 14
Member States shall not apply the first subparagraph to notaries, other independent legal professionals, auditors, external accountants and tax advisors only to the strict extent that those persons ascertain the legal position of their client, or perform the task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings.
SECTION 2
Simplified customer due diligence
Article 15
Article 16
When assessing the risks of money laundering and terrorist financing relating to types of customers, geographic areas, and particular products, services, transactions or delivery channels, Member States and obliged entities shall take into account at least the factors of potentially lower risk situations set out in Annex II.
Article 17
►M2 By 26 June 2017, the ESAs shall issue guidelines, addressed to competent authorities and to the credit institutions and financial institutions, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the risk factors to be taken into consideration and the measures to be taken in situations where simplified customer due diligence measures are appropriate. From 1 January 2020, EBA shall, where appropriate, issue such guidelines. ◄ Specific account shall be taken of the nature and size of the business, and, where appropriate and proportionate, specific measures shall be laid down.
SECTION 3
Enhanced customer due diligence
Article 18
Enhanced customer due diligence measures need not be invoked automatically with respect to branches or majority-owned subsidiaries of obliged entities established in the Union which are located in high-risk third countries, where those branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with Article 45. Member States shall ensure that those cases are handled by obliged entities by using a risk-based approach.
Member States shall require obliged entities to examine, as far as reasonably possible, the background and purpose of all transactions that fulfil at least one of the following conditions:
they are complex transactions;
they are unusually large transactions;
they are conducted in an unusual pattern;
they do not have an apparent economic or lawful purpose.
In particular, obliged entities shall increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear suspicious.
Article 18a
With respect to business relationships or transactions involving high-risk third countries identified pursuant to Article 9(2), Member States shall require obliged entities to apply the following enhanced customer due diligence measures:
obtaining additional information on the customer and on the beneficial owner(s);
obtaining additional information on the intended nature of the business relationship;
obtaining information on the source of funds and source of wealth of the customer and of the beneficial owner(s);
obtaining information on the reasons for the intended or performed transactions;
obtaining the approval of senior management for establishing or continuing the business relationship;
conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.
Member States may require obliged entities to ensure, where applicable, that the first payment be carried out through an account in the customer’s name with a credit institution subject to customer due diligence standards that are not less robust than those laid down in this Directive.
In addition to the measures provided in paragraph 1 and in compliance with the Union’s international obligations, Member States shall require obliged entities to apply, where applicable, one or more additional mitigating measures to persons and legal entities carrying out transactions involving high-risk third countries identified pursuant to Article 9(2). Those measures shall consist of one or more of the following:
the application of additional elements of enhanced due diligence;
the introduction of enhanced relevant reporting mechanisms or systematic reporting of financial transactions;
the limitation of business relationships or transactions with natural persons or legal entities from the third countries identified as high risk countries pursuant to Article 9(2).
In addition to the measures provided in paragraph 1, Member States shall apply, where applicable, one or several of the following measures with regard to high-risk third countries identified pursuant to Article 9(2) in compliance with the Union’s international obligations:
refusing the establishment of subsidiaries or branches or representative offices of obliged entities from the country concerned, or otherwise taking into account the fact that the relevant obliged entity is from a country that does not have adequate AML/CFT regimes;
prohibiting obliged entities from establishing branches or representative offices in the country concerned, or otherwise taking into account the fact that the relevant branch or representative office would be in a country that does not have adequate AML/CFT regimes;
requiring increased supervisory examination or increased external audit requirements for branches and subsidiaries of obliged entities located in the country concerned;
requiring increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in the country concerned;
requiring credit and financial institutions to review and amend, or if necessary terminate, correspondent relationships with respondent institutions in the country concerned.
Article 19
With respect to cross-border correspondent relationships involving the execution of payments with a third-country respondent institution, Member States shall, in addition to the customer due diligence measures laid down in Article 13, require their credit institutions and financial institutions when entering into a business relationship to:
gather sufficient information about the respondent institution to understand fully the nature of the respondent's business and to determine from publicly available information the reputation of the institution and the quality of supervision;
assess the respondent institution's AML/CFT controls;
obtain approval from senior management before establishing new correspondent relationships;
document the respective responsibilities of each institution;
with respect to payable-through accounts, be satisfied that the respondent institution has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent institution, and that it is able to provide relevant customer due diligence data to the correspondent institution, upon request.
Article 20
With respect to transactions or business relationships with politically exposed persons, Member States shall, in addition to the customer due diligence measures laid down in Article 13, require obliged entities to:
have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person;
apply the following measures in cases of business relationships with politically exposed persons:
obtain senior management approval for establishing or continuing business relationships with such persons;
take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons;
conduct enhanced, ongoing monitoring of those business relationships.
Article 20a
Article 21
Member States shall require obliged entities to take reasonable measures to determine whether the beneficiaries of a life or other investment-related insurance policy and/or, where required, the beneficial owner of the beneficiary are politically exposed persons. Those measures shall be taken no later than at the time of the payout or at the time of the assignment, in whole or in part, of the policy. Where there are higher risks identified, in addition to applying the customer due diligence measures laid down in Article 13, Member States shall require obliged entities to:
inform senior management before payout of policy proceeds;
conduct enhanced scrutiny of the entire business relationship with the policyholder.
Article 22
Where a politically exposed person is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, obliged entities shall, for at least 12 months, be required to take into account the continuing risk posed by that person and to apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons.
Article 23
The measures referred to in Articles 20 and 21 shall also apply to family members or persons known to be close associates of politically exposed persons.
Article 24
Member States shall prohibit credit institutions and financial institutions from entering into, or continuing, a correspondent relationship with a shell bank. They shall require that those institutions take appropriate measures to ensure that they do not engage in or continue correspondent relationships with a credit institution or financial institution that is known to allow its accounts to be used by a shell bank.
SECTION 4
Performance by third parties
Article 25
Member States may permit obliged entities to rely on third parties to meet the customer due diligence requirements laid down in points (a), (b) and (c) of the first subparagraph of Article 13(1). However, the ultimate responsibility for meeting those requirements shall remain with the obliged entity which relies on the third party.
Article 26
For the purposes of this Section, ‘third parties’ means obliged entities listed in Article 2, the member organisations or federations of those obliged entities, or other institutions or persons situated in a Member State or third country that:
apply customer due diligence requirements and record-keeping requirements that are consistent with those laid down in this Directive; and
have their compliance with the requirements of this Directive supervised in a manner consistent with Section 2 of Chapter VI.
Article 27
Article 28
Member States shall ensure that the competent authority of the home Member State (for group-wide policies and procedures) and the competent authority of the host Member State (for branches and subsidiaries) may consider an obliged entity to comply with the provisions adopted pursuant to Articles 26 and 27 through its group programme, where all of the following conditions are met:
the obliged entity relies on information provided by a third party that is part of the same group;
that group applies customer due diligence measures, rules on record-keeping and programmes against money laundering and terrorist financing in accordance with this Directive or equivalent rules;
the effective implementation of the requirements referred to in point (b) is supervised at group level by a competent authority of the home Member State or of the third country.
Article 29
This Section shall not apply to outsourcing or agency relationships where, on the basis of a contractual arrangement, the outsourcing service provider or agent is to be regarded as part of the obliged entity.
CHAPTER III
BENEFICIAL OWNERSHIP INFORMATION
Article 30
Member States shall ensure that those entities are required to provide, in addition to information about their legal owner, information on the beneficial owner to obliged entities when the obliged entities are taking customer due diligence measures in accordance with Chapter II.
Member States shall require that the beneficial owners of corporate or other legal entities, including through shares, voting rights, ownership interest, bearer shareholdings or control via other means, provide those entities with all the information necessary for the corporate or other legal entity to comply with the requirements in the first subparagraph.
Member States shall ensure that the information on the beneficial ownership is accessible in all cases to:
competent authorities and FIUs, without any restriction;
obliged entities, within the framework of customer due diligence in accordance with Chapter II;
any member of the general public.
The persons referred to in point (c) shall be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.
Member States may, under conditions to be determined in national law, provide for access to additional information enabling the identification of the beneficial owner. That additional information shall include at least the date of birth or contact details in accordance with data protection rules.
Competent authorities granted access to the central register referred to in paragraph 3 shall be those public authorities with designated responsibilities for combating money laundering or terrorist financing, as well as tax authorities, supervisors of obliged entities and authorities that have the function of investigating or prosecuting money laundering, associated predicate offences and terrorist financing, tracing and seizing or freezing and confiscating criminal assets.
Exemptions granted pursuant to the first subparagraph of this paragraph shall not apply to credit institutions and financial institutions, or to the obliged entities referred to in point (3)(b) of Article 2(1) that are public officials.
Member States shall ensure that the information referred to in paragraph 1 of this Article is available through the system of interconnection of registers established by Article 22(1) of Directive (EU) 2017/1132, in accordance with Member States’ national laws implementing paragraphs 5, 5a and 6 of this Article.
The information referred to in paragraph 1 shall be available through the national registers and through the system of interconnection of registers for at least five years and no more than 10 years after the corporate or other legal entity has been struck off from the register. Member States shall cooperate among themselves and with the Commission in order to implement the different types of access in accordance with this Article.
Article 31
Each Member State shall require that trustees of any express trust administered in that Member State obtain and hold adequate, accurate and up-to-date information on beneficial ownership regarding the trust. That information shall include the identity of:
the settlor(s);
the trustee(s);
the protector(s) (if any);
the beneficiaries or class of beneficiaries;
any other natural person exercising effective control of the trust.
Member States shall ensure that breaches of this Article are subject to effective, proportionate and dissuasive measures or sanctions.
Where the place of establishment or residence of the trustee of the trust or person holding an equivalent position in similar legal arrangement is outside the Union, the information referred to in paragraph 1 shall be held in a central register set up by the Member State where the trustee of the trust or person holding an equivalent position in a similar legal arrangement enters into a business relationship or acquires real estate in the name of the trust or similar legal arrangement.
Where the trustees of a trust or persons holding equivalent positions in a similar legal arrangement are established or reside in different Member States, or where the trustee of the trust or person holding an equivalent position in a similar legal arrangement enters into multiple business relationships in the name of the trust or similar legal arrangement in different Member States, a certificate of proof of registration or an excerpt of the beneficial ownership information held in a register by one Member State may be considered as sufficient to consider the registration obligation fulfilled.
Member States shall ensure that the information on the beneficial ownership of a trust or a similar legal arrangement is accessible in all cases to:
competent authorities and FIUs, without any restriction;
obliged entities, within the framework of customer due diligence in accordance with Chapter II;
any natural or legal person that can demonstrate a legitimate interest;
any natural or legal person that files a written request in relation to a trust or similar legal arrangement which holds or owns a controlling interest in any corporate or other legal entity other than those referred to in Article 30(1), through direct or indirect ownership, including through bearer shareholdings, or through control via other means.
The information accessible to natural or legal persons referred to in points (c) and (d) of the first subparagraph shall consist of the name, the month and year of birth and the country of residence and nationality of the beneficial owner, as well as nature and extent of beneficial interest held.
Member States may, under conditions to be determined in national law, provide for access of additional information enabling the identification of the beneficial owner That additional information shall include at least the date of birth or contact details, in accordance with data protection rules. Member States may allow for wider access to the information held in the register in accordance with their national law.
Competent authorities granted access to the central register referred to in paragraph 3a shall be public authorities with designated responsibilities for combating money laundering or terrorist financing, as well as tax authorities, supervisors of obliged entities and authorities that have the function of investigating or prosecuting money laundering, associated predicate offences and terrorist financing, tracing, and seizing or freezing and confiscating criminal assets.
Exemptions granted pursuant to the first subparagraph shall not apply to the credit institutions and financial institutions, and to obliged entities referred to in point (3)(b) of Article 2(1) that are public officials.
Where a Member State decides to establish an exemption in accordance with the first subparagraph, it shall not restrict access to information by competent authorities and FIUs.
▼M1 —————
Member States shall ensure that the information referred to in paragraph 1 of this Article is available through the system of interconnection of registers established by Article 22(2) of Directive (EU) 2017/1132, in accordance with Member States’ national laws implementing paragraphs 4 and 5 of this Article.
Member States shall take adequate measures to ensure that only the information referred to in paragraph 1 that is up to date and corresponds to the actual beneficial ownership is made available through their national registers and through the system of interconnection of registers, and the access to that information shall be in accordance with data protection rules.
The information referred to in paragraph 1 shall be available through the national registers and through the system of interconnection of registers for at least five years and no more than 10 years after the grounds for registering the beneficial ownership information as referred to in paragraph 3a have ceased to exist. Member States shall cooperate with the Commission in order to implement the different types of access in accordance with paragraphs 4 and 4a.
By 26 June 2020, the Commission shall submit a report to the European Parliament and to the Council assessing whether all trusts and similar legal arrangements as referred to in paragraph 1 governed under the law of Member States were duly identified and made subject to the obligations as set out in this Directive. Where appropriate, the Commission shall take the necessary steps to act upon the findings of that report.
Article 31a
Implementing acts
Where necessary in addition to the implementing acts adopted by the Commission in accordance with Article 24 of Directive (EU) 2017/1132 and in accordance with the scope of Article 30 and 31 of this Directive, the Commission shall adopt by means of implementing acts technical specifications and procedures necessary to provide for the interconnection of Member States’ central registers as referred to in Article 30(10) and Article 31(9), with regard to:
the technical specification defining the set of the technical data necessary for the platform to perform its functions as well as the method of storage, use and protection of such data;
the common criteria according to which beneficial ownership information is available through the system of interconnection of registers, depending on the level of access granted by Member States;
the technical details on how the information on beneficial owners is to be made available;
the technical conditions of availability of services provided by the system of interconnection of registers;
the technical modalities how to implement the different types of access to information on beneficial ownership based on Article 30(5) and Article 31(4);
the payment modalities where access to beneficial ownership information is subject to the payment of a fee according to Article 30(5a) and Article 31(4a) taking into account available payment facilities such as remote payment transactions.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64a(2).
In its implementing acts, the Commission shall strive to reuse proven technology and existing practices. The Commission shall ensure that the systems to be developed shall not incur costs above what is absolutely necessary in order to implement this Directive. The Commission’s implementing acts shall be characterised by transparency and the exchange of experiences and information between the Commission and the Member States.
CHAPTER IV
REPORTING OBLIGATIONS
SECTION 1
General provisions
Article 32
Member States shall provide their FIUs with adequate financial, human and technical resources in order to fulfil their tasks.
The FIU's analysis function shall consist of the following:
an operational analysis which focuses on individual cases and specific targets or on appropriate selected information, depending on the type and volume of the disclosures received and the expected use of the information after dissemination; and
a strategic analysis addressing money laundering and terrorist financing trends and patterns.
Article 32a
The following information shall be accessible and searchable through the centralised mechanisms referred to in paragraph 1:
— |
for the customer-account holder and any person purporting to act on behalf of the customer : the name, complemented by either the other identification data required under the national provisions transposing point (a) of Article 13(1) or a unique identification number; |
— |
for the beneficial owner of the customer-account holder : the name, complemented by either the other identification data required under the national provisions transposing point (b) of Article 13(1) or a unique identification number; |
— |
for the bank or payment account : the IBAN number and the date of account opening and closing; |
— |
for the safe-deposit box : name of the lessee complemented by either the other identification data required under the national provisions transposing Article 13(1) or a unique identification number and the duration of the lease period. |
Article 32b
Article 33
Member States shall require obliged entities, and, where applicable, their directors and employees, to cooperate fully by promptly:
informing the FIU, including by filing a report, on their own initiative, where the obliged entity knows, suspects or has reasonable grounds to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, and by promptly responding to requests by the FIU for additional information in such cases; and
providing the FIU directly, at its request, with all necessary information.
All suspicious transactions, including attempted transactions, shall be reported.
Article 34
Without prejudice to paragraph 2, the designated self-regulatory body shall, in cases referred to in the first subparagraph of this paragraph, forward the information to the FIU promptly and unfiltered.
Self-regulatory bodies designated by Member States shall publish an annual report containing information about:
measures taken under Articles 58, 59 and 60;
number of reports of breaches received as referred to in Article 61, where applicable;
number of reports received by the self-regulatory body as referred to in paragraph 1 and the number of reports forwarded by the self-regulatory body to the FIU where applicable;
where applicable number and description of measures carried out under Article 47 and 48 to monitor compliance by obliged entities with their obligations under:
Articles 10 to 24 (customer due diligence);
Articles 33, 34 and 35 (suspicious transaction reporting);
Article 40 (record-keeping); and
Articles 45 and 46 (internal controls).
Article 35
Article 36
Article 37
Disclosure of information in good faith by an obliged entity or by an employee or director of such an obliged entity in accordance with Articles 33 and 34 shall not constitute a breach of any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and shall not involve the obliged entity or its directors or employees in liability of any kind even in circumstances where they were not precisely aware of the underlying criminal activity and regardless of whether illegal activity actually occurred.
Article 38
SECTION 2
Prohibition of disclosure
Article 39
CHAPTER V
DATA PROTECTION, RECORD-RETENTION AND STATISTICAL DATA
Article 40
Member States shall require obliged entities to retain the following documents and information in accordance with national law for the purpose of preventing, detecting and investigating, by the FIU or by other competent authorities, possible money laundering or terrorist financing:
in the case of customer due diligence, a copy of the documents and information which are necessary to comply with the customer due diligence requirements laid down in Chapter II, including, where available, information obtained through electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification process regulated, recognised, approved or accepted by the relevant national authorities, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;
the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.
Upon expiry of the retention periods referred to in the first subparagraph, Member States shall ensure that obliged entities delete personal data, unless otherwise provided for by national law, which shall determine under which circumstances obliged entities may or shall further retain data. Member States may allow or require further retention after they have carried out a thorough assessment of the necessity and proportionality of such further retention and consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five additional years.
The retention period referred to in this paragraph, including the further retention period that shall not exceed five additional years, shall also apply in respect of the data accessible through the centralised mechanisms referred to in Article 32a.
Article 41
In applying the prohibition of disclosure laid down in Article 39(1), Member States shall adopt legislative measures restricting, in whole or in part, the data subject's right of access to personal data relating to him or her to the extent that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned to:
enable the obliged entity or competent national authority to fulfil its tasks properly for the purposes of this Directive; or
avoid obstructing official or legal inquiries, analyses, investigations or procedures for the purposes of this Directive and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised.
Article 42
Member States shall require that their obliged entities have systems in place that enable them to respond fully and speedily to enquiries from their FIU or from other authorities, in accordance with their national law, as to whether they are maintaining or have maintained, during a five-year period prior to that enquiry a business relationship with specified persons, and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.
Article 43
The processing of personal data on the basis of this Directive for the purposes of the prevention of money laundering and terrorist financing as referred to in Article 1 shall be considered to be a matter of public interest under Regulation (EU) 2016/679 of the European Parliament and of the Council ( 22 ).
Article 44
The statistics referred to in paragraph 1 shall include:
data measuring the size and importance of the different sectors which fall within the scope of this Directive, including the number of natural persons and entities and the economic importance of each sector;
data measuring the reporting, investigation and judicial phases of the national AML/CFT regime, including the number of suspicious transaction reports made to the FIU, the follow-up given to those reports and, on an annual basis, the number of cases investigated, the number of persons prosecuted, the number of persons convicted for money laundering or terrorist financing offences, the types of predicate offences, where such information is available, and the value in euro of property that has been frozen, seized or confiscated;
if available, data identifying the number and percentage of reports resulting in further investigation, together with the annual report to obliged entities detailing the usefulness and follow-up of the reports they presented;
data regarding the number of cross-border requests for information that were made, received, refused and partially or fully answered by the FIU, broken down by counterpart country;
human resources allocated to competent authorities responsible for AML/CFT supervision as well as human resources allocated to the FIU to fulfil the tasks specified in Article 32;
the number of on-site and off-site supervisory actions, the number of breaches identified on the basis of supervisory actions and sanctions/administrative measures applied by supervisory authorities.
CHAPTER VI
POLICIES, PROCEDURES AND SUPERVISION
SECTION 1
Internal procedures, training and feedback
Article 45
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 26 December 2016.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 26 June 2017.
Article 46
Those measures shall include participation of their employees in special ongoing training programmes to help them recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases.
Where a natural person falling within any of the categories listed in point (3) of Article 2(1) performs professional activities as an employee of a legal person, the obligations in this Section shall apply to that legal person rather than to the natural person.
SECTION 2
Supervision
Article 47
Article 48
The Commission shall publish a register of those authorities and their contact details on its website. The authorities in the register shall, within the scope of their powers, serve as a contact point for the counterpart competent authorities of the other Member States. ►M2 The financial supervisory authorities of the Member States shall also serve as a contact point for EBA. ◄
In order to ensure the adequate enforcement of this Directive, Member States shall require that all obliged entities are subject to adequate supervision, including the powers to conduct on-site and off-site supervision, and shall take appropriate and proportionate administrative measures to remedy the situation in the case of breaches.
In the case of credit and financial institutions that are part of a group, Member States shall ensure that, for the purposes laid down in the first subparagraph, the competent authorities of the Member State where a parent undertaking is established cooperate with the competent authorities of the Member States where the establishments that are part of group are established.
In the case of the establishments referred to in Article 45(9), supervision as referred to in the first subparagraph of this paragraph may include the taking of appropriate and proportionate measures to address serious failings that require immediate remedies. Those measures shall be temporary and be terminated when the failings identified are addressed, including with the assistance of or in cooperation with the competent authorities of the home Member State of the obliged entity, in accordance with Article 45(2).
In the case of credit and financial institutions that are part of a group, Member States shall ensure that the competent authorities of the Member State where a parent undertaking is established supervise the effective implementation of the group-wide policies and procedures referred to in Article 45(1). For that purpose, Member States shall ensure that the competent authorities of the Member State where credit and financial institutions that are part of the group are established cooperate with the competent authorities of the Member State where the parent undertaking is established.
Member States shall ensure that when applying a risk-based approach to supervision, the competent authorities:
have a clear understanding of the risks of money laundering and terrorist financing present in their Member State;
have on-site and off-site access to all relevant information on the specific domestic and international risks associated with customers, products and services of the obliged entities; and
base the frequency and intensity of on-site and off-site supervision on the risk profile of obliged entities, and on the risks of money laundering and terrorist financing in that Member State.
SECTION 3
Cooperation
Article 49
Member States shall ensure that policy makers, the FIUs, supervisors and other competent authorities involved in AML/CFT, as well as tax authorities and law enforcement authorities when acting within the scope of this Directive, have effective mechanisms to enable them to cooperate and coordinate domestically concerning the development and implementation of policies and activities to combat money laundering and terrorist financing, including with a view to fulfilling their obligation under Article 7.
Article 50
The competent authorities shall provide EBA with all the information necessary to allow it to carry out its duties under this Directive.
Article 50a
Member States shall not prohibit or place unreasonable or unduly restrictive conditions on the exchange of information or assistance between competent authorities for the purposes of this Directive. In particular Member States shall ensure that competent authorities do not refuse a request for assistance on the grounds that:
the request is also considered to involve tax matters;
national law requires obliged entities to maintain secrecy or confidentiality, except in those cases where the relevant information that is sought is protected by legal privilege or where legal professional secrecy applies, as described in Article 34(2);
there is an inquiry, investigation or proceeding underway in the requested Member State, unless the assistance would impede that inquiry, investigation or proceeding;
the nature or status of the requesting counterpart competent authority is different from that of requested competent authority.
Article 51
The Commission may lend such assistance as may be needed to facilitate coordination, including the exchange of information between FIUs within the Union. It may regularly convene meetings of the EU FIUs' Platform composed of representatives from Member States' FIUs, in order to facilitate cooperation among FIUs, exchange views and provide advice on implementation issues relevant for FIUs and reporting entities as well as on cooperation-related issues such as effective FIU cooperation, the identification of suspicious transactions with a cross-border dimension, the standardisation of reporting formats through the FIU.net or its successor, the joint analysis of cross-border cases, and the identification of trends and factors relevant to assessing the risks of money laundering and terrorist financing at national and supranational level.
Article 52
Member States shall ensure that FIUs cooperate with each other to the greatest extent possible, regardless of their organisational status.
Article 53
A request shall contain the relevant facts, background information, reasons for the request and how the information sought will be used. Different exchange mechanisms may apply if so agreed between the FIUs, in particular as regards exchanges through the FIU.net or its successor.
When an FIU receives a report pursuant to point (a) of the first subparagraph of Article 33(1) which concerns another Member State, it shall promptly forward it to the FIU of that Member State.
When an FIU seeks to obtain additional information from an obliged entity established in another Member State which operates on its territory, the request shall be addressed to the FIU of the Member State in whose territory the obliged entity is established. ►M1 That FIU shall obtain information in accordance with Article 33(1) and transfer the answers promptly. ◄
Article 54
Information and documents received pursuant to Articles 52 and 53 shall be used for the accomplishment of the FIU's tasks as laid down in this Directive. When exchanging information and documents pursuant to Articles 52 and 53, the transmitting FIU may impose restrictions and conditions for the use of that information. The receiving FIU shall comply with those restrictions and conditions.
Member States shall ensure that FIUs designate at least one contact person or point to be responsible for receiving requests for information from FIUs in other Member States.
Article 55
Article 56
Article 57
Differences between national law definitions of predicate offences as referred to in point 4 of Article 3 shall not impede the ability of FIUs to provide assistance to another FIU and shall not limit the exchange, dissemination and the use of information pursuant to Articles 53, 54 and 55.
Article 57a
Without prejudice to cases covered by criminal law, confidential information which the persons referred to in the first subparagraph receive in the course of their duties under this Directive may be disclosed only in summary or aggregate form, in such a way that individual credit and financial institutions cannot be identified.
Paragraph 1 shall not prevent the exchange of information between:
competent authorities supervising credit and financial institutions within a Member State in accordance with this Directive or other legislative acts relating to the supervision of credit and financial institutions;
competent authorities supervising credit and financial institutions in different Member States in accordance with this Directive or other legislative acts relating to the supervision of credit and financial institutions, including the European Central Bank (ECB) acting in accordance with Council Regulation (EU) No 1024/2013 ( 23 ). That exchange of information shall be subject to the conditions of professional secrecy indicated in paragraph 1.
By 10 January 2019, the competent authorities supervising credit and financial institutions in accordance with this Directive and the ECB, acting pursuant to Article 27(2) of Regulation (EU) No 1024/2013 and point (g) of the first subparagraph of Article 56 of Directive 2013/36/EU of the European Parliament and of the Council ( 24 ), shall conclude, with the support of the European Supervisory Authorities, an agreement on the practical modalities for exchange of information.
Competent authorities supervising credit and financial institutions receiving confidential information as referred to in paragraph 1, shall only use this information:
in the discharge of their duties under this Directive or under other legislative acts in the field of AML/CFT, of prudential regulation and of supervising credit and financial institutions, including sanctioning;
in an appeal against a decision of the competent authority supervising credit and financial institutions, including court proceedings;
in court proceedings initiated pursuant to special provisions provided for in Union law adopted in the field of this Directive or in the field of prudential regulation and supervision of credit and financial institutions.
Where the information exchanged originates in another Member State, it shall only be disclosed with the explicit consent of the competent authority which shared it and, where appropriate, solely for the purposes for which that authority gave its consent.
Article 57b
The information received shall in any event be subject to professional secrecy requirements at least equivalent to those referred to in Article 57a(1).
However, confidential information exchanged according to this paragraph shall only be used for the purpose of performing the legal tasks of the authorities concerned. Persons having access to such information shall be subject to professional secrecy requirements at least equivalent to those referred to in Article 57a(1).
Member States may authorise the disclosure of certain information relating to the supervision of credit institutions for compliance with this Directive to Parliamentary inquiry committees, courts of auditors and other entities in charge of enquiries, in their Member State, under the following conditions:
the entities have a precise mandate under national law to investigate or scrutinise the actions of authorities responsible for the supervision of those credit institutions or for laws on such supervision;
the information is strictly necessary for fulfilling the mandate referred to in point (a);
the persons with access to the information are subject to professional secrecy requirements under national law at least equivalent to those referred to in Article 57a(1);
where the information originates in another Member State, it shall not be disclosed without the express consent of the competent authorities which have disclosed it and, solely for the purposes for which those authorities gave their consent.
SECTION 4
Sanctions
Article 58
Member States may decide not to lay down rules for administrative sanctions or measures for breaches which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions.
Member States shall further ensure that where their competent authorities identify breaches which are subject to criminal sanctions, they inform the law enforcement authorities in a timely manner.
Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Directive, and with national law, in any of the following ways:
directly;
in collaboration with other authorities;
under their responsibility by delegation to such other authorities;
by application to the competent judicial authorities.
In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases.
Article 59
Member States shall ensure that this Article applies at least to breaches on the part of obliged entities that are serious, repeated, systematic, or a combination thereof, of the requirements laid down in:
Articles 10 to 24 (customer due diligence);
Articles 33, 34 and 35 (suspicious transaction reporting);
Article 40 (record-keeping); and
Articles 45 and 46 (internal controls).
Member States shall ensure that in the cases referred to in paragraph 1, the administrative sanctions and measures that can be applied include at least the following:
a public statement which identifies the natural or legal person and the nature of the breach;
an order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;
where an obliged entity is subject to an authorisation, withdrawal or suspension of the authorisation;
a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities;
maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least EUR 1 000 000 .
Member States shall ensure that, by way of derogation from paragraph 2(e), where the obliged entity concerned is a credit institution or financial institution, the following sanctions can also be applied:
in the case of a legal person, maximum administrative pecuniary sanctions of at least EUR 5 000 000 or 10 % of the total annual turnover according to the latest available accounts approved by the management body; where the obliged entity is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial accounts in accordance with Article 22 of Directive 2013/34/EU, the relevant total annual turnover shall be the total annual turnover or the corresponding type of income in accordance with the relevant accounting Directives according to the last available consolidated accounts approved by the management body of the ultimate parent undertaking;
in the case of a natural person, maximum administrative pecuniary sanctions of at least EUR 5 000 000 , or in the Member States whose currency is not the euro, the corresponding value in the national currency on 25 June 2015.
Article 60
Where the publication of the identity of the persons responsible as referred to in the first subparagraph or the personal data of such persons is considered by the competent authority to be disproportionate following a case-by-case assessment conducted on the proportionality of the publication of such data, or where publication jeopardises the stability of financial markets or an on-going investigation, competent authorities shall:
delay the publication of the decision to impose an administrative sanction or measure until the moment at which the reasons for not publishing it cease to exist;
publish the decision to impose an administrative sanction or measure on an anonymous basis in a manner in accordance with national law, if such anonymous publication ensures an effective protection of the personal data concerned; in the case of a decision to publish an administrative sanction or measure on an anonymous basis, the publication of the relevant data may be postponed for a reasonable period of time if it is foreseen that within that period the reasons for anonymous publication shall cease to exist;
not publish the decision to impose an administrative sanction or measure at all in the event that the options set out in points (a) and (b) are considered insufficient to ensure:
that the stability of financial markets would not be put in jeopardy; or
the proportionality of the publication of the decision with regard to measures which are deemed to be of a minor nature.
Member States shall ensure that when determining the type and level of administrative sanctions or measures, the competent authorities shall take into account all relevant circumstances, including where applicable:
the gravity and the duration of the breach;
the degree of responsibility of the natural or legal person held responsible;
the financial strength of the natural or legal person held responsible, as indicated for example by the total turnover of the legal person held responsible or the annual income of the natural person held responsible;
the benefit derived from the breach by the natural or legal person held responsible, insofar as it can be determined;
the losses to third parties caused by the breach, insofar as they can be determined;
the level of cooperation of the natural or legal person held responsible with the competent authority;
previous breaches by the natural or legal person held responsible.
Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 59(1) committed for their benefit by any person, acting individually or as part of an organ of that legal person, and having a leading position within the legal person based on any of the following:
power to represent the legal person;
authority to take decisions on behalf of the legal person; or
authority to exercise control within the legal person.
Article 61
For that purpose, they shall provide one or more secure communication channels for persons for the reporting referred to in the first subparagraph. Such channels shall ensure that the identity of persons providing information is known only to the competent authorities, as well as, where applicable, self-regulatory bodies.
The mechanisms referred to in paragraph 1 shall include at least:
specific procedures for the receipt of reports on breaches and their follow-up;
appropriate protection for employees or persons in a comparable position, of obliged entities who report breaches committed within the obliged entity;
appropriate protection for the accused person;
protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for a breach, in compliance with the principles laid down in Directive 95/46/EC;
clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the obliged entity, unless disclosure is required by national law in the context of further investigations or subsequent judicial proceedings.
Member States shall ensure that individuals, including employees and representatives of the obliged entity who report suspicions of money laundering or terrorist financing internally or to the FIU, are legally protected from being exposed to threats, retaliatory or hostile action, and in particular from adverse or discriminatory employment actions.
Member States shall ensure that individuals who are exposed to threats, hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally or to the FIU are entitled to present a complaint in a safe manner to the respective competent authorities. Without prejudice to the confidentiality of information gathered by the FIU, Member States shall also ensure that such individuals have the right to effective remedy to safeguard their rights under this paragraph.
Article 62
CHAPTER VII
FINAL PROVISIONS
Article 63
Point (d) of paragraph 2 of Article 25 of Regulation (EU) No 648/2012 of the European Parliament and the Council ( 25 ) is replaced by the following:
‘(d) the CCP is established or authorised in a third country that is not considered, by the Commission in accordance with Directive (EU) 2015/849 of the European Parliament and of the Council ( 26 ), as having strategic deficiencies in its national anti-money laundering and counter financing of terrorism regime that poses significant threats to the financial system of the Union.
Article 64
Article 64a
Article 65
That report shall include in particular:
an account of specific measures adopted and mechanisms set up at Union and Member State level to prevent and address emerging problems and new developments presenting a threat to the Union financial system;
follow-up actions undertaken at Union and Member State level on the basis of concerns brought to their attention, including complaints relating to national laws hampering the supervisory and investigative powers of competent authorities and self-regulatory bodies;
an account of the availability of relevant information for the competent authorities and FIUs of the Member States, for the prevention of the use of the financial system for the purposes of money laundering and terrorist financing;
an account of the international cooperation and information exchange between competent authorities and FIUs;
an account of necessary Commission actions to verify that Member States take action in compliance with this Directive and to assess emerging problems and new developments in the Member States;
an analysis of feasibility of specific measures and mechanisms at Union and Member State level on the possibilities to collect and access the beneficial ownership information of corporate and other legal entities incorporated outside of the Union and of the proportionality of the measures referred to in point (b) of Article 20;
an evaluation of how fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union have been respected.
The first report, to be published by 11 January 2022, shall be accompanied, if necessary, by appropriate legislative proposals, including, where appropriate, with respect to virtual currencies, empowerments to set-up and maintain a central database registering users’ identities and wallet addresses accessible to FIUs, as well as self-declaration forms for the use of virtual currency users, and to improve cooperation between Asset Recovery Offices of the Member States and a risk-based application of the measures referred to in point (b) of Article 20.
Article 66
Directives 2005/60/EC and 2006/70/EC are repealed with effect from 26 June 2017.
References to the repealed Directives shall be construed as references to this Directive and shall be read in accordance with the correlation table set out in Annex IV.
Article 67
Member States shall apply Article 12(3) as of 10 July 2020.
Member States shall set up the registers referred to in Article 30 by 10 January 2020 and the registers referred to in Article 31 by 10 March 2020 and the centralised automated mechanisms referred to in Article 32a by 10 September 2020.
The Commission shall ensure the interconnection of registers referred to in Articles 30 and 31 in cooperation with the Member States by 10 March 2021.
Member States shall immediately communicate the text of the measures referred to in this paragraph to the Commission.
When Member States adopt those measures, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.
Article 68
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 69
This Directive is addressed to the Member States.
ANNEX I
The following is a non-exhaustive list of risk variables that obliged entities shall consider when determining to what extent to apply customer due diligence measures in accordance with Article 13(3):
the purpose of an account or relationship;
the level of assets to be deposited by a customer or the size of transactions undertaken;
the regularity or duration of the business relationship.
ANNEX II
The following is a non-exhaustive list of factors and types of evidence of potentially lower risk referred to in Article 16:
Customer risk factors:
public companies listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means), which impose requirements to ensure adequate transparency of beneficial ownership;
public administrations or enterprises;
customers that are resident in geographical areas of lower risk as set out in point (3);
Product, service, transaction or delivery channel risk factors:
life insurance policies for which the premium is low;
insurance policies for pension schemes if there is no early surrender option and the policy cannot be used as collateral;
a pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member's interest under the scheme;
financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes;
products where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership (e.g. certain types of electronic money);
Geographical risk factors — registration, establishment, residence in:
Member States;
third countries having effective AML/CFT systems;
third countries identified by credible sources as having a low level of corruption or other criminal activity;
third countries which, on the basis of credible sources such as mutual evaluations, detailed assessment reports or published follow-up reports, have requirements to combat money laundering and terrorist financing consistent with the revised FATF Recommendations and effectively implement those requirements.
ANNEX III
The following is a non-exhaustive list of factors and types of evidence of potentially higher risk referred to in Article 18(3):
Customer risk factors:
the business relationship is conducted in unusual circumstances;
customers that are resident in geographical areas of higher risk as set out in point (3);
legal persons or arrangements that are personal asset-holding vehicles;
companies that have nominee shareholders or shares in bearer form;
businesses that are cash-intensive;
the ownership structure of the company appears unusual or excessively complex given the nature of the company's business;
customer is a third country national who applies for residence rights or citizenship in the Member State in exchange of capital transfers, purchase of property or government bonds, or investment in corporate entities in that Member State.
Product, service, transaction or delivery channel risk factors:
private banking;
products or transactions that might favour anonymity;
non-face-to-face business relationships or transactions, without certain safeguards, such as electronic identification means, relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification process regulated, recognised, approved or accepted by the relevant national authorities;
payment received from unknown or unassociated third parties;
new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products;
transactions related to oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species.
Geographical risk factors:
without prejudice to Article 9, countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective AML/CFT systems;
countries identified by credible sources as having significant levels of corruption or other criminal activity;
countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the United Nations;
countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country.
ANNEX IV
Correlation table
This Directive |
Directive 2005/60/EC |
Directive 2006/70/EC |
— |
|
Article 1 |
— |
|
Article 3 |
— |
|
Article 5 |
— |
|
Article 6 |
— |
|
Article 7 |
Article 1 |
Article 1 |
|
Article 2 |
Article 2 |
|
Article 2(3) to (9) |
|
Article 4 |
Article 3 |
Article 3 |
|
Article 3(9), (10) and (11) |
|
Article 2(1), (2) and (3) |
Article 4 |
Article 4 |
|
Article 5 |
Article 5 |
|
Articles 6 to 8 |
— |
|
Article 10 |
Article 6 |
|
Article 11 |
Article 7 |
|
Article 13 |
Article 8 |
|
Article 14 |
Article 9 |
|
Article 11(d) |
Article 10(1) |
|
— |
Article 10(2) |
|
Articles 15, 16 and 17 |
Article 11 |
|
— |
Article 12 |
|
Articles 18 to 24 |
Article 13 |
|
Article 22 |
|
Article 2(4) |
Article 25 |
Article 14 |
|
— |
Article 15 |
|
Article 26 |
Article 16 |
|
— |
Article 17 |
|
Article 27 |
Article 18 |
|
Article 28 |
— |
|
Article 29 |
Article 19 |
|
Article 30 |
— |
|
Article 31 |
— |
|
— |
Article 20 |
|
Article 32 |
Article 21 |
|
Article 33 |
Article 22 |
|
Article 34 |
Article 23 |
|
Article 35 |
Article 24 |
|
Article 36 |
Article 25 |
|
Article 37 |
Article 26 |
|
Article 38 |
Article 27 |
|
Article 39 |
Article 28 |
|
— |
Article 29 |
|
Article 40 |
Article 30 |
|
Article 45 |
Article 31 |
|
Article 42 |
Article 32 |
|
Article 44 |
Article 33 |
|
Article 45 |
Article 34 |
|
Article 46 |
Article 35 |
|
Article 47 |
Article 36 |
|
Article 48 |
Article 37 |
|
Article 49 |
— |
|
Article 50 |
Article 37a |
|
Article 51 |
Article 38 |
|
Articles 52 to 57 |
— |
|
Articles 58 to 61 |
Article 39 |
|
— |
Article 40 |
|
— |
Article 41 |
|
— |
Article 41a |
|
— |
Article 41b |
|
Article 65 |
Article 42 |
|
— |
Article 43 |
|
Article 66 |
Article 44 |
|
Article 67 |
Article 45 |
|
Article 68 |
Article 46 |
|
Article 69 |
Article 47 |
|
( 1 ) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).
( 2 ) Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ L 319, 5.12.2007, p. 1).
( 3 ) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).
( 4 ) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).
( 5 ) Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1).
( 6 ) Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC (OJ L 145, 30.4.2004, p. 1).
( 7 ) Directive 2002/92/EC of the European Parliament and of the Council of 9 December 2002 on insurance mediation (OJ L 9, 15.1.2003, p. 3).
( 8 ) Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
( 9 ) Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime (OJ L 300, 11.11.2008, p. 42).
( 10 ) OJ C 316, 27.11.1995, p. 49.
( 11 ) Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013, p. 19).
( 12 ) Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12).
( 13 ) Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (see page 1 of this Official Journal).
( 14 ) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).
( 15 ) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
( 16 ) Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (OJ L 64, 11.3.2011, p. 1).
( 17 ) Directive 2009/101/EC of the European Parliament and of the Council of 16 September 2009 on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent (OJ L 258, 1.10.2009, p. 11).
( 18 ) Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ L 169, 30.6.2017, p. 46).
( 19 ) Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 (OJ L 94, 30.3.2012, p. 22).
( 20 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
( 21 ) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
( 22 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
( 23 ) Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
( 24 ) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).
( 25 ) Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).
( 26 ) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).’.
( 27 ) Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).
( 28 ) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).