EUROPEAN COMMISSION
Brussels, 11.3.2024
SWD(2024) 50 final
COMMISSION STAFF WORKING DOCUMENT
accompanying the
Report from the Commission to the European Parliament and the Council
on the implementation of Directive (EU) 2015/849
{COM(2024) 112 final}
Contents
1.Introduction
2.Legal basis
3.Implementation of AMLD
3.1.Commission actions to verify Member State compliance/transposition checks of AMLD4
3.2.Transposition checks of AMLD5
3.3.Further action on beneficial ownership registers
3.4.Impact of the Sovim judgment on public access to BO registers
3.5.European semester, Recovery and Resilience Facility
4.Surveys conducted by the Commission in 2022 among Member States
4.1.Follow-up actions undertaken at Member State level based on concerns regarding national laws hampering the supervisory and investigative powers of competent authorities and self-regulatory bodies
4.2.Risk assessment and risk mitigation
4.3.National Competent Authorities (NCAs) and FIUs – Information access and cooperation
4.4.Respect of fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union
4.5.Central database for the registration of virtual currency users’ identities
5.EBA contribution to the report on the implementation of Directive (EU) 2015/849
5.1.Implementation of AMLD
5.2.ML/TF risk assessment including emerging risks and risk mitigation
5.3.NCAs and FIUs – Information access and cooperation
1.Introduction
The legal framework relating to money laundering and terrorist financing is subject to continuous change, dynamically adapting to market developments. The first EU Anti-money laundering Directive (AMLD1 ( 1 )) – adopted more than thirty years ago in 1991 – only applied to financial institutions and focused on combatting the laundering of proceeds of drug trafficking. Since then, the AMLD has undergone three major reforms, in 2001 (AMLD2 ( 2 )), 2005 (AMLD3 ( 3 )) and 2015 (AMLD4 ( 4 )), as well as substantial amendments in 2018 (AMLD5 ( 5 )). Today, it addresses the prevention of money laundering resulting from all serious criminal offences and lays down obligations for several non-financial activities and professions, including lawyers, notaries, accountants, estate agents, art dealers, jewellers, auctioneers and casinos. The concept of beneficial ownership (BO) has been introduced to increase transparency of complex corporate structures. Enforcement follows a risk-based approach to focus resources where risks are highest ( 6 ).
The Commission’s impact assessment accompanying the Anti-money laundering package outlines the background to the latest amendment of the anti-money laundering and countering the financing of terrorism (AML/CFT) legal framework. Since 2017, during the implementation phase of AMLD4 and AMLD5, a number of high-profile money laundering cases surfaced across the EU, involving billions of euros laundered through EU credit institutions, or through the involvement of professionals and undertakings operating outside the financial sector, such as auditors, tax advisors and trust and company service providers. These prominent cases revealed the existence of structural weaknesses in the current system. The limitations of the current framework were analysed and summarised in a package of Commission documents ( 7 ) published in July 2019 concerning anti-money laundering and countering the financing of terrorism, including a so-called ‘post-mortem’ report on alleged money laundering cases involving EU banks. The evidence points to a fragmented, inconsistent and uncoordinated implementation and application of EU anti-money laundering rules. The 2019 Communication concluded that the problems identified were of a structural nature and could not be remedied by the most recent review of EU rules in this area (AMLD5) ( 8 ).
An important step forward for a comprehensive Union policy on preventing money laundering and terrorist financing was the presentation of an Action Plan by the Commission on 7 May 2020. The Action Plan sets out the measures that the Commission will undertake to better enforce, supervise and coordinate the EU’s rules on combating money laundering and terrorist financing, with six priorities or pillars:
1. Ensuring the effective implementation of the existing EU AML/ CFT framework
2. Establishing an EU single rulebook on AML /CFT
3. Bringing about EU-level AML/ CFT supervision
4. Establishing a support and cooperation mechanism for FIUs
5. Enforcing EU-level criminal law provisions and information exchange
6. Strengthening the international dimension of the EU AML/CFT framework
To keep pace with developments on the market and address the identified weaknesses, the Commission published an ambitious legislative package in July 2021. This package consists of legislative proposals for a Regulation establishing a new EU AML/CFT Authority, a Regulation on AML/CFT, a sixth AML Directive and a revision of the Regulation on Transfers of Funds. Negotiations on the latter have concluded with the act adopted by co-legislators in May 2023 ( 9 ).
One of the biggest changes in the EU legislative framework in comparison to the very first Directive from 1991 is the proposal to create a European AML authority, AMLA. This authority will establish an integrated system of AML/CFT supervision, based on common supervisory methods and convergence of high supervisory standards. AMLA will also directly supervise some of the riskiest financial institutions in the EU, while supporting cooperation among national FIUs and coordinating the supervisors in the non-financial sector.
Three developments in the last 30 years should be highlighted here: the 1991 market is not comparable to that of today. One of the main changes is that, as technology advances, new business activities have been and will be opened up in the financial market, and this progression of technology will be exploited by criminals. The regulatory framework is therefore continually required to adapt to market developments. In response to this, the Commission regularly carries out a supranational risk assessment of the internal market, with the last supranational risk assessment dating to October 2022 ( 10 ).
Furthermore, the 1991 market is not comparable to that of today since cooperation between different stakeholders in the financial market is much more evolved. The value of information exchange is generally recognised. Among others, AML/CFT public-private partnerships flourish across various Member States. The Commission services published a paper in October 2022 to issue guidance on those public-private partnerships ( 11 ). Moreover, the Commission actively promotes cooperation between the EU Financial Intelligence Units (FIUs). The EU FIU Platform was established to facilitate cooperation among national FIUs and exchange views on related issues such as effective international FIU co-operation. Its mission furthermore comprises the identification of suspicious transactions with a cross-border dimension, the standardisation of reporting formats through the FIU.net network or its successor and the joint analysis of cross-border cases. In addition, the platform provides advice and expertise to the Commission on operational issues in the context of the functions performed by FIUs.
Over the last years numerous terrorist attacks have taken place in Member States. Terrorist financing poses not just a serious threat to the integrity of the EU economy, but also to the security of its citizens.
Furthermore, corruption and money laundering are intrinsically linked. Strengthening the ability of FIUs to detect, analyse and disseminate financial intelligence related to the laundering of proceeds of crime is a key prerequisite for the effective investigation and prosecution of corruption offences ( 12 ).
One circumstance is still the same as in earlier Directives: the current legislative framework is based on a Directive that requires transposition into national law. This transposition by the different Member States can create divergence in national rules, resulting in fragmented approaches across the EU. However, the Commission must ensure that the legal framework is implemented correctly by Member States. With the new AMLR a framework will be put in place that does not need to be transposed into national law.
The last few years have been marked by many challenges in the field of AML/CFT. Overall, it can be seen that the market has not only changed comprehensively, but also that the Commission has continuously reacted to these changes by regularly analysing risk, providing written guidance to the market and intervening, where necessary, to ensure the conformity of Member States’ transposition of the AML legal framework. Moreover, the Commission has adopted an ambitious legislative package to address current and future challenges.
This staff working document includes contributions to the report from different sources: two surveys conducted by Commission services among Member States, as well as contributions from the European Banking Authority (EBA) and from the Council of Europe (CoE).
2.Legal basis
The legal basis for this report is Article 65(1) AMLD, which sets out:
Article 65(1): By 11 January 2022 ( 13 ), and every three years thereafter, the Commission shall draw up a report on the implementation of this Directive and submit it to the European Parliament and to the Council.
That report shall include in particular:
(a) an account of specific measures adopted and mechanisms set up at Union and Member State level to prevent and address emerging problems and new developments presenting a threat to the Union financial system;
(b) follow-up actions undertaken at Union and Member State level on the basis of concerns brought to their attention, including complaints relating to national laws hampering the supervisory and investigative powers of competent authorities and self-regulatory bodies;
(c) an account of the availability of relevant information for the competent authorities and FIUs of the Member States, for the prevention of the use of the financial system for the purposes of money laundering and terrorist financing;
(d) an account of the international cooperation and information exchange between competent authorities and FIUs;
(e) an account of necessary Commission actions to verify that Member States take action in compliance with this Directive and to assess emerging problems and new developments in the Member States;
(f) an analysis of feasibility of specific measures and mechanisms at Union and Member State level on the possibilities to collect and access the beneficial ownership information of corporate and other legal entities incorporated outside of the Union and of the proportionality of the measures referred to in point (b) of Article 20;
(g) an evaluation of how fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union have been respected.
The first report, to be published by 11 January 2022, shall be accompanied, if necessary, by appropriate legislative proposals, including, where appropriate, with respect to virtual currencies, empowerments to set-up and maintain a central database registering users’ identities and wallet addresses accessible to FIUs, as well as self-declaration forms for the use of virtual currency users, and to improve cooperation between Asset Recovery Offices of the Member States and a risk-based application of the measures referred to in point (b) of Article 20.
3.Implementation of AMLD
3.1.Commission actions to verify Member State compliance/transposition checks of AMLD4
To ensure the highest protection of EU citizens, it is vital that the EU AML/CFT legal framework is applied by all economic operators, in all Member States, and with the same level of scrutiny and effectiveness. Therefore, strengthening enforcement and increasing compliance are priorities for ensuring the highest protection of EU citizens and providing a level playing field both within the EU and between EU and non-EU players.
Compared to its predecessors, AMLD4 created a strengthened, yet more flexible, regime by further promoting a risk-based approach. It was published in the Official Journal of the European Union on 5 June 2015 and entered into force the twentieth day following that of its publication in the Official Journal of the European Union. With a two-year window for transposition, the EU Member States had to adopt relevant provisions by 26 June 2017.
Due mainly to the complex nature of the Directive and administrative and technical requirements involved (like the setting up of the beneficial ownership/BO registers), the transposition of AMLD4 proved to be a difficult task for Member States. A further layer of complication was added to the process when, in 2016, the Commission tabled an amending proposal, which would become AMLD5. In fact, several Member States announced their intention to incorporate most of the necessary measures during the transposition of AMLD5 only. As a consequence, by the transposition deadline for AMLD4, no Member State had declared a complete transposition.
Nevertheless, the Commission took a very proactive and strong stance on the transposition of AMLD4 and, after the transposition deadline, an in-depth analysis of how completely and correctly all Member States had acted was initiated. This process led to the opening of infringement proceedings against all Member States for non-communication or incomplete communication of their transposing measures.
Decisions to refer non-communication cases to the Court of Justice were executed in two cases (Ireland, Case C-550-18, and Romania, Case C-549-18). These cases are closed now and currently all the 27 Member States have adopted complete transpositions of AMLD4.
EU legislation can only achieve its intended effects if the provisions in the relevant directives are not only completely, but also correctly implemented in Member States’ national laws by the deadline set out in these directives. Thus, between 2018 and 2022, 12 infringement cases were opened against Member States on non-conformity grounds. Observations on conformity have been communicated formally, as letters of formal notice, to five of these Member States. As of today, only two cases continue to be open, one at the stage of letter of formal notice and the other at the stage of reasoned opinion.
3.2.Transposition checks of AMLD5
In July 2016, in the aftermath of the terrorist attacks that struck the EU and the vast financial dealings uncovered by the “Panama Papers”, the Commission decided to take urgent countermeasures and reinforce the EU AML/CFT framework. On 19 June 2018 AMLD5, which amended AMLD4, was published in the Official Journal of the European Union. The Member States had to transpose this Directive by 10 January 2020.
AMLD5 further strengthened the EU's AML/CFT regime in multiple ways, including: increasing transparency regarding the beneficial ownership of companies; enhancing cooperation and information sharing between financial supervisory authorities; introducing stricter controls of transactions with customers located in high-risk third countries; restricting the anonymous use of virtual currencies; allowing for better identification of politically exposed persons ("PEPs") and extending the scope of sectors and firms subject to AML/CFT obligations.
In February 2020, the Commission addressed letters of formal notice to eight Member States due to the absence of communication of measures taken to transpose AMLD5 into national law. In May 2020 another eight letters were similarly addressed to those Member States that had only declared a partial transposition of AMLD5. In five cases the proceedings for partial communication reached the stage of reasoned opinion.
On top of the previously mentioned reasons explaining the delay of the transposition of AMLD4, still affecting the process for AMLD5, the impact of the COVID-19 pandemic should also be mentioned. In future, if the Commission’s 2021 AML/CFT legislative package is adopted, directly applicable rules in a Regulation will remove the need for transposition and reduce delays in the application of EU rules, whilst also freeing up resources for enforcement purposes.
At the cut-off date of 15 September 2023, all Member States have declared a complete transposition of AMLD5. Both the completeness and conformity of the transpositions of AMLD5 is being assessed at the same time, despite the standard Commission practice where usually conformity checks are done after the completeness checks. For AMLD5, the responsible Commission services consider that ensuring complete and correct transposition of the existing AML framework merits urgency. When shortcomings are identified and credible and imminent plans to modify national laws are not received, infringement procedures are proposed. The conformity check for all the provisions of AMLD 5 will be finalised in the course of 2023.
On possible non-conformity issues, proceedings have been opened on non-conform transposition of the BO-related dispositions of four Member States.
3.3.Further action on beneficial ownership registers
Furthermore, the Commission has put a special focus on BO registers given their importance in the EU regulatory approach to anti-money laundering by particularly focusing on these provisions during the checks of complete and correct transposition of AMLD5. There are ongoing administrative exchanges with Member States.
In January 2023 a meeting on AML Registers was organized with Member States to discuss key operational aspects of national BO registers, good practices, and implementation challenges.
In addition, following a request from the European Parliament, the Commission launched a preparatory action for capacity building, programmatic development, and communication in the context of the fight against money laundering and financial crimes. The project has been implemented by the Transparency International Secretariat together with Tax Justice Network, Transcrime - Università Cattolica del Sacro Cuore and the Government Transparency Institute and pursued two main goals: ensuring that civil society actors become more active users of BO information and creating greater synergies between civil society and the EU in the fight against money laundering and financial crimes. The project demonstrated the value of dialogue between civil society actors, authorities and the private sector in the context of BO transparency.
Finally, the Commission has consistently supported an ambitious approach to strengthen international standards on BO transparency, in particular by contributing to the work of the Financial Action Task Force (FATF) in that area on the recent revisions of Recommendation 24 (transparency and BO of legal persons) and Recommendation 25 (transparency and BO of legal arrangements).
3.4.Impact of the Sovim judgment on public access to BO registers
The Court of Justice has made a decision with significant impact on public access to BO registers. On 22 November 2022, the Court delivered its judgment in joined cases WM (C-37/20) and Sovim SA (C-601/20) versus Luxembourg Business Registers and invalidated the requirement introduced by AMLD5 that Member States must make information on the BO of legal persons held in central registers accessible in all cases to any member of the general public. The Court considered that such indiscriminate public access was neither strictly necessary to prevent money laundering and terrorist financing, nor proportionate and could therefore not justify a serious interference with fundamental rights, namely the right to respect for private life and to the protection of personal data enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The consequences of the judgement are being taken into account in the interinstitutional negotiations on the AML/CFT legislative package.
3.5.European semester, Recovery and Resilience Facility
In addition to enforcement, further AML/CFT activities of the Commission are undertaken within the European Semester and the linked Recovery and Resilience Facility (RRF): The European Semester is a tool to enhance policy coordination in the European Union and to strengthen its economic governance. In the framework if this exercise the Commission publishes a country report for each Member State every year providing guidance on identified key economic and social challenges. Together with the country reports, the Commission presents a series of proposals for country-specific recommendations. Since 2022 the European Semester exercise has been linked to the RRF, the EU flagship initiative adopted with the purpose of mitigating the economic and social impact of the COVID-19 pandemic. The funds raised through the Facility are made available to Member States to implement ambitious reforms and investments that address the challenges identified in the country-specific recommendations under the European Semester framework. In the past the Commission has made several country specific recommendations to Member States, inviting them to improve specific aspects of the national AML/CFT framework. To a large extent the Member States have translated those general recommendations into specific and concrete actions in their national Recovery and Resilience plans. These AML/CFT related milestones aim at improving the implementation of the ALM/CFT framework in practice, such as through capacity building actions and training programs for officials, digitalization projects to improve administrative efficiency or the development of adapted IT tools.
4.Surveys conducted by the Commission in 2022 among Member States
In June 2022 the Commission services initiated a survey through the Expert Group on ML/TF (EGMLTF) and in August 2022 through the EBA´s network of AML/CFT national experts with the purpose of gathering input for this report. A further survey was circulated to FIUs in August 2022 to gather input regarding information access and cooperation of FIUs.
4.1.Follow-up actions undertaken at Member State level based on concerns regarding national laws hampering the supervisory and investigative powers of competent authorities and self-regulatory bodies
Summary of responses
What follow-up actions have been undertaken at Member State level on the basis of concerns brought to their attention, including complaints relating to national laws hampering the supervisory and investigative powers of competent authorities and self-regulatory bodies?
No Member State reported any follow-up actions based on concerns brought to their attention. Furthermore, no Member State reported any complaints relating to national laws that would/could hamper supervision. However, several Member States reported various follow-up actions to improve the effectiveness of supervision and of the actions of their supervisory authorities:
One Member State reported to have taken additional steps to better coordinate the different actions of the different supervisory authorities both at federal and regional level. Another one amended its legislation to improve the supervisory procedure and strengthen the cooperation between different supervisors. Another country created a specific team exclusively dealing with supervision issues in order to enhance supervision. Yet another Member State has a formalized process in which the Central Bank and the AML/CFT supervisor can share ideas once a year and suggest improvements to the Ministry of Finance. In yet another Member State in May 2021 a public inquiry presented several proposals to improve supervision and implementation of the AML/CFT framework.
4.2.Risk assessment and risk mitigation
Summary of responses
Question 1: Since 2018, how many iterations of your national risk assessment (NRA) have been completed?
Most Member States carried out a single NRA during the considered period. Three of them completed two NRA exercises. A single Member State carried out an NRA every year, with the exception of 2020 and 2021, where a single NRA was completed.
Question 2: Have new areas of risk been added to the national risk assessment during this period?
Most Member States added virtual assets and new technologies as new areas of risk in their NRAs. Several other areas were added to the different NRAs, namely high value cash transactions; money laundering from tax evasion and fraud; trades in goods and charities; gambling and agents/distributors; professional sports; crowdfunding.
Question 3: How often is the national risk assessment updated? Is this frequency set out in legislation?
Member States’ answers differed substantially, with three Member States updating it every five years; seven Member States updating their NRA at least every four years; three Member States every three years; four Member States every two years and one Member State every year. Most Member States reported that the frequency is set out in legislation. Some indicated that it is updated ‘regularly’ or ‘as necessary’, without indicating any set frequency. Only two Member States have not set it out in legislation.
Question 4: Have thematic (e.g. legal persons, including foreign legal persons) or sectoral (e.g. Trust or Company Service Providers sector) risk assessments been drawn up?
All Member States reported of different thematic or sectoral risk assessments having been drawn up, with a significant degree of heterogeneity (e.g. one Member State carried out 19 thematic analyses in the period of reference, whereas another one only carried out two). Such assessments were generally carried out by AML/CFT authorities and FIUs.
Question 5: Have strategic analyses on emerging or specific risks been issued by the FIU?
In most Member States, FIUs issued a number of strategic analyses on emerging or specific risks (some recurrent themes are virtual asset service providers, cash operations, fraud and tax abuse). Only two Member States reported that their FIU has not yet issued any such analyses.
Question 6: Have new sectors (e.g. crypto-assets, crowdfunding) been subject to AML/CFT rules?
A vast majority of Member States reported that, during the considered period, they added virtual asset service providers to the list of obliged entities under the relevant national AML/CFT law. Several Member States also added crowdfunding service providers, professional football clubs, or political parties. Some Member States stressed that they enlarged the national list of obliged entities to traders of works of art, office service providers and real estate intermediaries and developers.
Question 7: Have new risk mitigating measures (e.g. mandatory EDD for some products, transactions or customers, specific licensing regimes for at-risk sectors) been imposed on obliged entities?
The vast majority of Member States issued guidelines or circulars on CDD procedures and risk factors in preventing money laundering and terrorist financing (ML/TF) risks. Some Member States went even further, providing tailored regimes and AML/CFT rules for some specific sectors (e.g VASPs, dealers in precious metals/stones, real estate agents). Few Member States also reported of mandatory EDD application in different cases, e.g. in the presence of “intermediaries”, non-face to face operations, investment operations, shell companies, or non-profit organisations.
Question 8: Have specific measures been taken to mitigate risks related to legal entities and arrangements that go beyond those included in the AML Directive (e.g. measures regarding shell/shelf entities)?
Besides the implementation of BO registers, Member States reported various measures that have been introduced to mitigate risks related to legal entities and arrangements, such as guidelines on the identification of fictitious companies and shell companies, assessments of different level arrangements and entities and guidelines on complex structures. VASPs are addressed by one Member State and shell companies by two. Some Member States highlighted the introduction of different tools (e.g. software enabling risk scoring) to be used by national authorities. One Member State reported a measure prohibiting the provision of anonymous instruments, including bearer shares.
Question 9: Do you collect beneficial ownership information on foreign legal entities? If yes, what is the mechanism for that?
23 Member States do not require the collection of BO information of foreign legal entities. However, 12 of those 23 Member States highlighted that BO information might be available to a limited extent based on the obliged entities’ customer due diligence requirements and/or where a foreign entity and its beneficial owner(s) own and/or control a national legal entity and are therefore recorded in the national BO register. Five Member States proactively collect BO information on foreign legal entities.
Question 10: Has the threshold for CDD for occasional transactions been lowered for certain products / transactions on the basis of a higher risk?
The majority of Member States has not lowered the threshold for CDD for occasional transactions. The few Member States that lowered the threshold, did so for virtual asset transactions, cash deposits made by third parties, the formation of a company/trust and tax advice, or occasional transactions for financial sector entities under supervision of the National Bank. Several Member States reported that they had lowered the CDD threshold for cash transactions to amounts lower than in the AMLD.
Question 11: Have new simplified due diligence measures been introduced in response to lower risks in certain products/sectors?
A significant number of Member States have not introduced any – specific – new SDD measures in response to lower risks in any given sector or for specific products. Some Member States reported of SDD (or rather CDD exemption) for specific e-money products (as per AMLD provisions). One Member State reported of SDD provisions for payment initiation and account information services, whereas another introduced SDD for state assistance loans during the Covid19 crisis.
4.3.National Competent Authorities (NCAs) and FIUs – Information access and cooperation
4.3.1.Results of the survey among members of the EGMLTF and the EBA´s network of AML/CFT national experts
Summary of responses
Question 1: Do supervisors have in place sufficient mechanisms for cooperating on a bilateral basis with counterparts in other Member States?
Based on the questionnaire, all Member States seem to have in place sufficient mechanisms for bilateral cooperation. The main mechanisms are: (1) Memoranda of Understanding (MoUs) and cooperation agreements including the Multilateral Agreement concluded in 2019 between the ECB and more than 50 EU Competent Authorities; (2) AML/CFT Colleges, which have started to be established based on AMLD5 and the December 2019 ESAs Joint Guidelines on cooperation and information exchange on AML – CFT; and (3) ad hoc cooperation on a case-by-case basis.
Question 1a: Is there a difference between supervisors in the financial sector and supervisors in the non-financial sector?
While a small number of Member States do not see a difference, overall, the cooperation in the non-financial sector appears less formalised, also because in the financial sector supervisors could draw on cooperation agreements in place among prudential supervisors.
Furthermore, as noted by one Member State, for the Designated Non-Financial Businesses and Professions (DNFBP), it is much more difficult to identify and obtain the contact details of AML/CFT supervisors (while the different fora hosted by the EBA and the establishment of AML/CFT colleges allow for ease of determination and obtaining contact details for AML/CFT supervisors in the financial sector).
This being said, reference was made by a number of Member States to (1) cooperation mechanisms within the Council of Notaries of the EU (CNUE), (2) policies and guidelines for bilateral cooperation of the Council of Bars and Law Societies of Europe (CCBE), and (3) the Cooperation Agreement signed between the gambling regulatory authorities of most EEA-member countries concerning online gambling services (facilitated by the European Commission Expert Group on Online Gambling).
Question 2: Are supervisors able to collect information on behalf of an EU counterpart? Within what timeframes is this information shared?
In general, Member States did not report any specific difficulty with the collection of information on behalf of an EU counterpart. There was also no reference to formal time requirements, nor issues in terms of late submission. One possible explanation could be that the info is usually already in the possession of the supervisors.
The volume of requests made to DNFBP supervisors is also very low (in many Member States there have been no such requests so far). The gambling sector was mentioned specifically by some Member States as an area where the collection of information on behalf of an EU counterpart would not be possible legally.
Question 3: How is information exchanged and obtained between supervisors who are public authorities (e.g. FIUs) and supervisors who are self-regulatory bodies (SRBs)?
Taking into account that in a number of Member States there are no self-regulatory bodies (SRBs), there are two dimensions to be taken into account in this relationship: on the one hand, cooperation and exchange of information, on the other hand supervision of how the SRB monitors its professionals’ activities. In some countries there is a formal regular (annual) reporting by the SRB to the supervisor providing an overview of activities which serves both purposes. Regarding specifically the exchange of information, as a rule, this seems to take place rather informally (as opposed to official requests/submissions) and on a case-by-case basis (breach of AML requirements). The information is usually exchanged and obtained through secured channels.
Question 4: What mechanisms do supervisors have in place to obtain information on obliged entities under their supervision who are not physically present in their territory?
It should first be noted that in a number of Member States, an operator must have a physical presence in the State to be considered an obliged entity; consequently, in those States a situation cannot arise where an obliged entity does not have a physical presence.
Regarding the financial sector, obliged entities that are not physically present are primarily payment institutions and electronic money institutions (as part of the freedom to provide services). Usually, these entities have to nominate representatives which act as contact points (sharing the relevant information with the supervisors); the supervisor himself can designate a contact point responsible for the obliged entity including for reporting obligations.
Regarding the non-financial sector, obliged entities that are not physically present can be found in particular in the gambling sector (online gambling). Legal gambling and more generally all obliged entities active in a country are subject to a national licence requiring a representative to be based in the country. Such representative serves as a contact point.
Different from the involvement of (local) representatives, the main mechanism in a limited number of Member States is to go through the home supervisor (in relation to both the financial and non-financial sectors).
Supervised entities, whether or not physically present, must usually submit at least one annual report related to the activities carried out. Beyond this, some Member States mentioned the detailed documentation that they request from obliged entities which are not physically present in their territory especially in the context of inspections – for both the financial and non-financial sectors. One Member State also mentioned the recourse to administrative fines on the supervised obliged entities, if they fail to comply, for example with the provisions on providing information.
Question 5: Are contact points a useful source of information for supervisors with regard to establishments under their supervision that come in forms other than a branch or subsidiary (e.g. distributors and agents)? What information can be gathered from them?
In a number of countries with establishments operating on a cross-border basis through agents (to note: not all Member States are concerned) central contact points (CCPs) are required, in particular for payment service providers and e-money institutions.
The CCPs are considered by a large number of Member States as a very useful source of information for supervisors; systematic or ad hoc reporting covers in particular the number of agents, the number of transactions and their volume, and the number of STRs. CCPs are also useful for the coordination of supervisory measures, such as on-site inspections. Overall, CCPs emerge as a key channel to ensure compliance with the national AML/CFT laws (so that the foreign intermediaries are subject to the same AML obligations as national ones).
Still, in some countries with establishments operating on a cross-border basis through agents, so far, the need was not felt to impose CCPs. One Member State pointed specifically to the limits of the powers of host authorities (also due to absence of access to the systems/procedures in place). On the other hand, some Member States are seriously considering introducing the requirement to designate CCPs.
For the non-financial sector, direct contacts with the establishment (i.e. persons who have key functions such as the AML Compliance Officer) seem to be considered more effective.
Question 6: What information is provided from the FIU to the supervisors to inform risk-based supervision (e.g. number and quality of STRs, quality and timeliness of replies to queries by the FIU)? If supervision is performed by multiple authorities, please break down the answer per authority or, at a minimum, distinguish between supervisors in the financial and the non-financial sector.
The information provided from the FIU to the supervisors to inform risk-based supervision appears to include (mostly for the financial sector but not only), as a minimum, the number, quality and completeness of STRs, quality and timeliness of replies to queries by the FIU; this is done in a more or less structured fashion.
In some cases there are periodic submissions (sometimes even quarterly); most frequently exchanges occur on an ad-hoc basis (for instance before the supervisors launch an inspection of the obliged entity), or in the context of regular meetings between the authorities. In this respect in some countries the fluidity of information exchanges is enhanced by the participation in respective boards or the exchange of liaison officers.
Supervisors benefit also from the strategic work conducted by the FIU on typologies of ML/TF risks, including geographical risks and cross-border risks, as well as emerging risks (threats and typologies coming from the analysis of STRs), which is often shared more widely by the FIU.
To note: in some cases the amount of information provided by the FIU on reporting entities (especially financial institutions considered as higher risk by the FIU) can include (on top of the above) the following: the average financial stakes involved, the geographic breakdown when relevant, the average time taken to report, the diversity of detected typologies (which is an indication of the quality of the transaction monitoring framework) and information on whether customers subject to STRs are legal or natural persons (which may allow to detect areas with a potential under-reporting). The FIU can also provide the supervisor with the number of requests for information sent to the financial institution, which is an indicator of the risk level of the customer base (comparing this value with the number of STRs is helpful). When kick-off meetings are set up between the FIU and an on-site inspection team, the FIU can also provide comparative analyses with similar obliged entities.
Question 7: Has the transposition of Directive (EU) 2018/843 led to improvements in your work and what are they?
Taking into account that in some countries, due to recent transposition, the changes and improvements are still relatively new, the benefits most frequently put forward are the following:
- enhanced risk-based approach (including the publication of national risk assessments)
- extension of scope of supervision to virtual currencies and related services
- improved group supervision with strengthened expectations
- greater cooperation and information exchange including through the establishment of dedicated AML/CFT colleges
- improvements regarding the lists of Politically Exposed Persons (PEP) and how to address discrepancies in BO information.
On the other hand, in relation to the changes brought about in their work by AMLD5, some Member States rather emphasise the challenges linked to having to supervise more entities with no extra resources (for instance, for one country, AML/CFT colleges are a great tool for supervisors, but they do not have enough specialists to represent them in college meetings). Furthermore, some of the new obliged entities are considered difficult to address in terms of ML/TF risk (e.g. account information service providers - AISPs).
Question 8: Do supervisors have in place arrangements with third countries supervisors to exchange information?
For the financial sector, supervisors can draw on bilateral and multilateral agreements originated for other purposes (e.g. IOSCO MMOU). The AML/CFT supervisory colleges established as from 2019 are also helpful as they provide for the participation as observers of supervisors from third countries where cross-border establishments operate allowing for information exchange with them under the terms of participation agreed upon, in line with the December 2019 ESAs Joint Guidelines on AML/CFT Colleges.
In the non-financial sector, it seems that no individual arrangements for the exchange of information have been entered into with third countries (this is also due to the fact that unlike obliged entities in the financial sector, the vast majority of obliged entities in the non-financial sector operate only at national level). Therefore, in the latter case, information is exchanged with third-country supervisory authorities on a case-by-case basis without any special arrangements.
4.3.2.Results of the survey submitted to FIUs
Background
Article 32 of AMLD4 as amended by AMLD5 requires Member States to ensure that FIUs have timely access, directly or indirectly, to the financial, administrative and law enforcement information that they require to fulfil their tasks properly. The range of data sources that FIUs can access has been left to Member States to define at national level. Article 32a of AMLD4 as amended byAMLD5 requires Member States to ensure that FIUs have direct access to central bank account registers. This section looks into the implementation of this requirement by Member States, by assessing the scope of information that EU FIUs can access and the nature of such access.
It is important to note recent developments regarding the implementation of Article 32 AMLD. The report on the 2016 exercise mapping FIUs' powers and obstacles to exchange and access information ( 14 ) notes significant differences in the range of information available to EU FIUs. This impacts their ability to conduct effective domestic analysis, exchange of information with counterparts, and conduct cross-border analysis. The 2016 exercise recommends the development of a common approach on the minimum sources of data that FIUs should be able to access. The Commission report assessing the framework for cooperation between FIUs provides additional insight on the state of FIU cooperation ( 15 ).
To obtain an updated view on EU FIUs’ access to different sources of financial, administrative and law enforcement information, a survey was transmitted to EU Member States’ FIUs in July 2022, through the EU FIUs' Platform (an Expert Group of the Commission). FIUs were asked to indicate whether they have access to a list of sources, and whether such access is direct or indirect.
Responses were received from 25 FIUs between July and August 2022. There are some limitations to the summary of replies, in particular, for some sources, respondents provided explanations or disclaimers that do not permit a definite ‘yes’ or ‘no’ answer, or did not respond. For these reasons, the statistics are indicative but not definitive. Additionally, FIUs may have access to sources of information other than those provided in the questionnaire, and importantly, certain information may not be available within a database or register but FIUs may be empowered at national level to request information from any person, entity or authority. Finally, this assessment is accurate up to the date that the responses were received, and do not necessarily reflect the situation at the date of adoption of this document.
Access to financial information
This part of the questionnaire contained a list of relevant financial information. Replies indicate that central bank account registers are accessible directly by 21 FIUs, and indirectly by two FIUs. The register is in development in two Member States. Some 20 FIUs have access to registers on safety deposit boxes, and databases on currency exchange information are directly accessible to six FIUs and indirectly accessible to four FIUs (with remaining FIUs indicating that these do not exist or did not otherwise respond). Some 18 FIUs have access to mortgage registers. Once again it is to be noted that even if certain financial information is not held within a dedicated register, FIUs may be able to obtain the same information from obliged entities or competent authorities.
A set of questions were intended to assess the different suspicious transaction reporting (STR) regimes. FIUs recognize various types of reports: all but one responding FIUs receive STRs, with the remaining FIU receiving, rather, unusual transaction and unusual activity reports. Suspicious activity reports are recognized by 13 FIUs, while unusual transaction and unusual activity reports are recognized by six and five FIUs respectively. Some ten FIUs receive threshold reports ( 16 ).
Access to administrative information
FIUs were presented with a list of relevant sources of administrative information. Of note is that all FIUs have access to information from tax authorities (with 15 FIUs having direct access), and 18 FIUs have indirect access to export-import information from customs or other authorities. Some 16 FIUs have direct access to cash controls and cash declarations databases, while eight FIUs access these indirectly.
All responding FIUs have access to company and business registries (with only one FIU having indirect access), and to databases with annual financial statements of companies (with three FIUs having indirect access). Some 21 FIUs have direct access to registries of BO of companies (with three having indirect access, and one did not respond), while BO information on trusts is accessible directly by 20 FIUs, and indirectly by two FIUs. All but one FIUs have access to land registries. Only 12 FIUs indicate that they have access to registers of Designated non-Financial Businesses and Professionals (DNFBPs).
Access to law enforcement information
Information held by tax and customs investigative authorities is accessible by 21 FIUs (14 FIUs have indirect access, seven have direct access). All responding FIUs have access to the general police database (19 accessing directly, six indirectly), and criminal records registers are accessible by all but one responding FIUs (18 directly, six indirectly). Identity card and passport registries are accessible by 23 FIUs (16 directly, seven indirectly).
Horizontal assessment
Once again, divergences are noted in the range of information accessible to FIUs. The FIUs with the narrowest and widest access can respectively access 16 and 61 sources of information. Some 11 FIUs have access to 16 – 25 sources of information, 10 FIUs have access to 27 – 36 sources of information, and four FIUs have access to 38 – 61 sources. Divergences are not in themselves a shortcoming, but an FIU’s inability to access a set of information can impact its ability to respond to a request from a counterpart or participate in a joint analysis.
Concluding remarks
This assessment demonstrates the divergences in the sources of information that FIUs may access. Certain essential sources are only accessible indirectly by some. These results highlight the importance of efforts to converge FIU practices, to ensure not only effective domestic analysis, but also cooperation among counterparts including through joint analyses.
International cooperation and information exchange of FIUs with third countries
The AMLD does not address or regulate the cooperation of Financial Intelligence Units (FIUs) of the EU Member States with FIUs of third countries. The FIUs of all Member States exchange information with FIUs of third countries on a regular basis. This is done on the basis of the Charter of Egmont Group or bilateral agreements, or memoranda of understanding. The scope of the memoranda of understanding varies in terms of geographical focus. One FIU, for example, has reported that it has concluded more than a hundred such arrangements, while other FIUs have concluded fewer ( 17 ).
4.4.Respect of fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union
Proceedings before courts
Question 1: Please indicate whether any proceedings have been initiated before national courts contesting the interference of AMLD requirements with any of the following fundamental rights:
- Article 7 Respect for private and family life
- Article 8 Protection of personal data
- Article 11 Freedom of expression and information
- Article 12 Freedom of assembly and association
- Article 16 Freedom to conduct a business
- Article 17 Right to property
- Article 20 Equality before the law
- Article 21 Non-discrimination
- Article 47 Right to an effective remedy and to a fair trial
- Article 48 Presumption of innocence and right of defence
- Article 49 Principles of legality and proportionality of criminal offences and penalties
- Article 50 Right not to be tried or punished twice in criminal proceedings for the same criminal offence
Eight Member States reported proceedings initiated before national courts related to this kind of interference. One Member State mentioned two concrete cases with connections to Article 48 and the other to Article 49. Other Member States were not aware of such cases or did not answer this question.
Question 2: Have cases regarding interference with other fundamental rights been brought before national courts?
Member States did not report on cases regarding interference with other fundamental rights than the ones mentioned in the questionnaire.
Data protection authorities
Question 3: Have administrative complaints regarding AMLD requirements been filed with data protection authorities?
As regards the rights to privacy and the protection of personal data, the 2022 survey showed the following: Administrative complaints regarding requirements set out in AMLD4 have been filed with data protection authorities in the majority of the Member States (17).
Question 4: Have data protection authorities been consulted for the preparation of national acts transposing or implementing AMLD requirements?
Data protection authorities have been consulted in the context of the preparation of national acts transposing or implementing requirements of the AMLD in almost all Member States (24).
Other cases
Question 5: Please list any other types of complaints filed / consultation carried out with other national authorities that have a bearing on the interaction between AMLD requirements and fundamental rights.
Several Member States (9) listed other types of complaints filed / consultation carried out with other national authorities that have a bearing on the interaction between AMLD requirements and fundamental rights. Only three Member States reported about complaints.
4.5.Central database for the registration of virtual currency users’ identities
Summary of responses:
Has your Member State created any kind of database for registering the identities of users of crypto-asset transfers or is your Member State planning to create such a register? If so, please provide details about its current functioning or your possible projects in that regard.
It appears that no Member State created or had a plan to create a database for registering the identities of users of crypto-asset transfers.
It is however to be noted that one Member State requires crypto-asset service providers (CASPs) to communicate to the national supervisor, on a quarterly basis, the relevant identification data of each of their customers (e.g. name and surname, place of residence, tax identification number/VAT number), as well as data concerning the transactions of their customers considering all services performed (total balance, number and value of fiat-to-crypto or crypto-to-fiat transactions, number of crypto-to-crypto transactions, crypto and fiat inflows/outflows).
It is to be pointed out that at least one Member State does not yet even register the CASPs, contrary to the AMLD obligations.
5.EBA contribution to the report on the implementation of Directive (EU) 2015/849
This chapter is based on contributions provided by the European Banking Authority (EBA) regarding the implementation of AMLD, ML/TF risk assessment including emerging risks and risk mitigation as well as information access and cooperation of NCAs and FIUs.
5.1.Implementation of AMLD
Since early 2019, the European Banking Authority, EBA, has been undertaking a series of reviews, named ‘implementation reviews’, to assess how national AML/CFT supervisors approach the AML/CFT supervision of their banking sector and how effective these approaches are.
These EBA reviews focus on how AML/CFT supervisors across Member States assess the ML/TF risks associated with banks under their supervision, and on how AML/CFT supervisors are using these risk assessments to inform their supervisory practice and enforcement. They also examine how AML/CFT supervisors interact with their prudential counterparts and other national and international stakeholders to ensure a comprehensive supervisory approach to tackling ML/TF risk and safeguarding the integrity of the financial markets in their jurisdiction. As part of each implementation review and based on its findings, the EBA provides bilateral feedback and recommends specific actions to each AML/CFT supervisor reviewed. Also, the EBA follows-up on the specific actions these AML supervisors have undertaken and hence aims to improve AML/CFT supervision across Member States. In line with Directive (EU) 2015/849, the main topics of focus of these EBA reviews are: 1. the establishment and use of ML/TF risk assessments, 2. the AML/CFT supervision and ensuing supervisory sanctions or other follow-up measures, 3. the steps AML/CFT supervisors take to tackle ML/TF risk through prudential supervision, including authorisation processes and suitability assessments, as well as 4. national and international cooperation.
The legal basis for these reviews is set out in Article 1, Article 8(1), Article 9a as well as Article 29(1) and (2) of Regulation (EU) 1093/2010 (EBA Regulation) ( 18 ). It confers on the EBA a duty to ensure effective and consistent supervisory practices and contribute to the consistent and effective application of Union Law, including in relation to AML/CFT. To this effect, the EBA can carry out peer reviews and investigate potential breaches of Union law, and it can take other measures such as staff-led implementation reviews to assess AML/CFT supervisors’ responses to particular compliance challenges.
Since 2019, EBA staff carried out implementation reviews of 34 AML/CFT supervisors in 25 EU/EEA Member States altogether. As of September 2023, there remain five Member States to be reviewed to complete the review of all AML/CFT supervisors in the EU/EEA. Findings of these reviews will be transferred to the future AMLA which will continue following up on them in particular in its future mandate of indirect supervision.
While outcomes of each review and the targeted recommendations therein are only shared with the individual AML/CFT supervisor under review, aggregated findings of these reviews are made public in EBA reports which are regularly published at the end of each review cycle ( 19 ). They give an up-to-date picture of the level of effective AML/CFT supervision of banks across the EU.
EBA’s key findings of AML/CFT supervision of banks in EU Member States (2019-2023)
(1)AML/CFT supervisory capacity in EU Member States
Since the implementation date of Directive (EU) 2015/849, most AML/CFT supervisors have been reinforcing their resources and reformed their approach to supervision, including through internal reorganisations, and hiring additional AML/CFT staff. Overall, the EBA observed that the AML/CFT supervisory staff across Member States have acquired a good knowledge and understanding of the EU AML/CFT standards and are generally committed to fighting financial crime. However, many AML/CFT supervisors reported skill shortages, and the EBA found that some remain understaffed.
(2)Growing awareness of ML/TF risks in the financial sector
All Member States had carried out a national ML/TF risk assessment (NRA) in line with Article 7 of Directive (EU) 2015/849, however, the NRA was sometimes out of date or incomplete. This affected AML/CFT supervisors’ understanding of the ML/TF risks to which banks in their jurisdiction were exposed.
In the meanwhile, AML/CFT supervisors were aware of the necessity to incorporate findings of the EU Commission’s supranational risk assessment (SNRA) in their approach. In many cases, the SNRA had influenced the choice of risk factors that AML/CFT supervisors considered and, in some cases, AML/CFT supervisors had given greater weight to risk factors that the SNRA had identified as particularly concerning. However, some AML/CFT supervisors had incorporated the SNRA’s findings in their national approaches without considering the extent to which these findings applied to their sector. In those cases, the focus on complying with the SNRA meant that risks specific to that Member State were missed.
In addition, at the beginning of the review cycle, the EBA found that most AML/CFT supervisors had not completed sectoral risk assessments of ML/TF risks affecting their banking sectors. This had affected their ability to draw up a supervisory strategy focused on the areas of greatest risk and hampered their ability to critically assess banks’ own risk assessments. In order to help AML/CFT supervisors with this task, the EBA prepared guidance on sectoral risk assessments as part of its review of the ESAs’ Risk-based Supervision guidelines and consulted on it publicly in 2021. Subsequently, the EBA observed that AML/CFT supervisors have increasingly taken steps to establish sectoral risk assessments to identify and assess ML/TF risks in their banking sector.
(3)Limited understanding of TF risks
The EBA findings show that AML/CFT supervisors’ understanding of TF risk remains very limited. For example, the EBA found during its reviews and associated monitoring work that some AML/CFT supervisors appeared to be unaware of TF risks arising from right-wing extremism, which law enforcement in these Member States had highlighted as an area of growing or significant terrorist financing concern. Some AML/CFT supervisors did not consider that the risk of TF had increased in their sector despite it servicing a significant number of customers with links to countries and territories with a high TF risk. Also, many AML/CFT supervisors considered TF risk exclusively under the heading of sanction breaches. This meant that TF risks were not always identified or managed effectively by AML/CFT supervisors and their sector.
(4)AML/CFT supervision across EU Member States
Directive (EU) 2015/849 requires AML/CFT supervisors to monitor effectively, and to take the measures necessary to ensure, compliance with the Directive. As part of this, it requires AML/CFT supervisors to adjust the frequency and intensity of on-site and off-site supervision to reflect the outcomes of their ML/TF risk assessments.
The EBA reviews these aspects during its implementation reviews and indirectly, when taking action under the powers granted to it in the EBA Regulation. Overall, the EBA observed that AML/CFT supervisors have all undertaken significant work to implement the risk-based approach (RBA) to AML/CFT supervision of banks in line with the EBA’s Risk‐Based Supervision Guidelines ( 20 ).
While there is generally a common understanding of the necessity of applying the risk-based approach and authorities seem to have an adequate level of theoretical knowledge on it, common challenges observed by the EBA include:
·Difficulties in translating the theoretical knowledge on the RBA into a risk-based supervisory strategy and practice
The EBA found evidence that where an AML/CFT supervisory strategy is adopted, supervisors were able to define a transparent and clear approach to AML/CFT supervision, including through defining the number and type of inspections the AML/CFT supervisor intended to carry out each year, the use of different supervisory tools for different supervisory purposes and the resources it needed to implement that pre-defined strategy. On the contrary, without a clear strategy adopted, in some extreme cases, a considerable section of the banking sector in certain Member States remained un-supervised by the AML/CFT supervisor.
The EBA observed that not all AML/CFT supervisors put in place a clear AML/CFT supervisory strategy. Where such AML/CFT supervisory strategy was put in place, it did not always reflect the outcomes of the AML/CFT supervisor’s ML/TF risk assessments. In the absence of a supervisory strategy which is aligned to the ML/TF risk assessment, the preparation of the ensuing inspection plans did not allow effective AML/CFT supervision.
In addition, many AML/CFT supervisors found the transition from testing compliance with a prescribed set of AML/CFT requirements to also assessing the overall effectiveness of a bank’s AML/CFT policies and procedures very difficult. As a consequence, the root causes of repeated compliance failures of financial institutions were not always identified and tackled, which left the overall banking sector vulnerable to ML/TF risks.
·AML/CFT supervisors did not always use their scarce supervisory resources effectively
In line with the EBA’s revised Risk‐Based Supervision Guidelines, effective AML/CFT supervision implies adjusting the frequency, intensity and intrusiveness of AML/CFT supervision on a risk sensitive basis. However, the EBA found evidence that many AML/CFT supervisors carry out only full-scope on-site inspections. This meant that, in many cases, the population of actively supervised banks was very small. Other supervisors had moved away from on-site inspections and instead focused exclusively on offsite monitoring of all institutions within their remit, which meant that they were unable to identify compliance failures before risks had crystallised. In the EBA’s Risk-Based Supervision Guidelines, the EBA provided guidance on the different supervisory tools available to AML/CFT supervisors and on how to select the most effective tools for different purposes. Accordingly, AML/CFT supervisors should ensure an appropriate balance between on-site and off-site supervision, and between intrusive approaches and less intrusive approaches. This can be achieved through the strategic use of full-scope and partial-scope on-site and off-site inspections, and the strategic use of thematic reviews of a cross-section of banks that focus on one specific aspect of their AML/CFT systems and controls framework.
(5)National and international cooperation in fighting financial crime
Directive (EU) 2015/849 is clear that cooperation between AML/CFT supervisors at home and across borders is an integral component of an effective approach to AML/CFT supervision.
(5.1) National cooperation to fight ML/TF
All AML/CFT supervisors reviewed by the EBA confirmed that there were no legal obstacles preventing them from cooperating with other authorities or agencies in their Member State. The EBA observed that AML/CFT supervisors established, or participated in, structures for cooperation between domestic AML/CFT authorities, including prudential supervisors, law enforcement agencies, FIUs and government agencies. These structures allowed them to exchange high-level views on risks and developed strategies at a national level, e.g. their national risk assessments.
In December 2021, the EBA published its AML/CFT Cooperation Guidelines ( 21 ), as well as the EBA’s revised Risk-Based Supervision Guidelines. Both guidelines set out how AML/CFT supervisors should cooperate in the fight against financial crime.
Following the issuance of these guidelines, the EBA observed growing awareness amongst Member States on why cooperation matters. AML/CFT supervisors reviewed by the EBA not only acknowledged the importance of cooperation at both domestic and international levels but started setting supervisory cooperation as a clear priority. Accordingly, they started to put in place mechanisms to exchange information with other relevant authorities at home and abroad.
While there is wide understanding across Member States on the necessity of national cooperation, and authorities seem to see both its importance and its benefits, common challenges observed by the EBA include:
·cooperation was, in certain cases, limited by the resources available to AML/CFT supervisors, and sometimes it remained based on informal relationships instead of formalised cooperation arrangements
The EBA observed that cooperation amongst national stakeholders may sometimes be linked to personal acquaintances of the staff in different authorities. The EBA alerted that while this approach may seem operationally useful in short term, it bears the risk of rapid deterioration if people move around posts. Therefore, formalizing cooperation arrangements remains crucial to provide for a longer-term solution.
·in a few cases, the cooperation framework was ineffective as there was a lack of understanding of how the national legal framework had evolved
The EBA observed that in certain instances the already existing cooperation arrangements were either unclear or not well communicated; or have been changing over the time which impeded a meaningful information exchange in a timely and constructive manner.
·information exchange in practice remained rarely systematic
The EBA observed that while MoUs have almost systematically been put in place in Member States between prudential supervisors, AML/CFT supervisors and FIUs, such arrangements were not fully used in practice. This means that there were cases in which prudential authorities took decisions on AML/CFT supervision, and vice versa, without having full knowledge of all the relevant facts.
(5.2) International cooperation to fight financial crime
International cooperation amongst AML/CFT supervisors across Member States has evolved during the period of the EBA’s reviews. At the beginning of the review cycle, the EBA observed that only some AML/CFT supervisors had experience of international cooperation, but most had not yet taken concrete steps to put in place an international cooperation strategy. International cooperation was often limited to ad hoc exchanges of findings from inspections. In some cases, the EBA found that information that would have been relevant to other AML/CFT supervisors was not shared, and AML/CFT supervisors failed to consider whether other AML/CFT supervisors held information that could have supported their own ML/TF risk assessments and made their AML/CFT supervision more effective and targeted.
Later in the review cycle, AML/CFT supervisors started to highlight the importance of international cooperation, especially in relation to supervisory authorities of their neighbouring countries or in Member States where financial institutions established in their territory had a presence via branches and subsidiaries. Some AML/CFT supervisors started participating in multilateral structures in their region that had been set up to facilitate the exchange of good supervisory practices and discuss issues of common concern. As an emerging good practice, EBA has seen some examples in which AML/CFT supervisors from more than one Member State completed parallel on-site supervisions in the headquarters and branches of the same bank simultaneously and in a coordinated manner.
In terms of international cooperation amongst supervisors, common challenges observed by the EBA include:
·absence of AML/CFT inspections of bank branches or subsidiaries in other Member States with headquarters in the AML/CFT inspector’s Member State
None of the AML/CFT supervisors reviewed so far by the EBA performed inspections outside their own jurisdiction. This means bank branches or subsidiaries in other Member States with headquarters in the supervisor’s Member State were not subject to AML/CFT inspections.
·lack of a comprehensive international supervisory cooperation strategy set out by AML/CFT supervisors
The EBA found evidence that putting in place such strategy, aiming to engage proactively as well as reactively with AML/CFT supervisors in the EU but also in third countries allows the supervisory authorities to obtain as full a view as possible of the ML/TF risks to which banks within their supervisory remit are exposed.
(5.2.1) The EBA’s AML/CFT colleges
As part of the EBA’s continued efforts to foster cooperation and the exchange of information between supervisory authorities, a key EBA initiative is the establishment of AML/CFT colleges. The AML/CFT colleges are permanent structures that bring together different supervisory authorities responsible for the supervision of the same financial institution if it operates in at least three Member States, including third-country undertakings with EU establishments in at least three Member States.
As of September 2023, 274 AML/CFT colleges have been established and are operational. The EBA contributed, through technical advice and participation of, and bilateral feedback from, the EBA staff in the AML/CFT colleges of financial institutions and European supervisors. The EBA also facilitated the negotiation of framework terms of participation for AML/CFT college observers and third-country authorities.
In 2022, the EBA started implementing a new strategy for its AML/CFT colleges’ monitoring activities. Accordingly, between 2022 and 2024, it is intended that the EBA actively monitors 15 AML/CFT colleges and selects ten other AML/CFT colleges annually for thematic monitoring. The outcomes of this monitoring will be published and will also inform the EBA’s other work.
Through findings of the implementation reviews, the EBA observed that all AML/CFT supervisors welcomed the establishment of AML/CFT colleges and participated in meetings of AML/CFT colleges. AML/CFT supervisors that were ‘lead supervisors’ had begun to set up AML/CFT colleges for banks within their supervisory remit, and, in some cases, adopted measures following their observation of others’ approaches during AML/CFT college meetings. However, many AML/CFT supervisors still do not use AML/CFT colleges effectively and did not incorporate AML/CFT colleges as part of their supervisory strategy or plans.
Findings of a 2022 survey showed an increase in the number of AML/CFT colleges established, and the participation of AML/CFT supervisors therein. The information exchanged in AML/CFT colleges which AML/CFT supervisors found the most beneficial in their day-to-day supervisory practice included information on risk assessments, planned and/or completed supervisory activities, identified breaches and weaknesses, systems and controls failures within the supervised financial institution and the ensuing administrative measures and sanctions.
While seven AML/CFT supervisors did not report any change in their supervisory approach or practice as a consequence of the AML/CFT colleges, the remaining 22 respondents indicated that the information exchanged in AML/CFT colleges impacted their supervisory practice. The majority of them indicated that they reviewed their entity-level ML/TF risk assessment and implemented more targeted inspections at the financial institution as a consequence of the AML/CFT colleges. Eight respondents indicated that they changed the intensity and frequency of supervision in the financial institution in question, while three respondents indicated that they put in place enhanced requirements of reporting from the specific financial institution. One AML/CFT supervisor responded that they explicitly launched an ad hoc inspection in the financial institution after the discussions on that institution in the AML/CFT college.
(6)Corrective measures
Directive (EU) 2015/849 requires administrative sanctions and other supervisory measures to be effective, proportionate and dissuasive.
The EBA observed that administrative sanctions regimes of several AML/CFT supervisors had not been updated to comply with their legal requirements. Furthermore, AML/CFT supervisors’ approaches to determining and imposing sanctions and other measures diverged, and therefore the same breach by the same bank was likely to trigger the imposition of different sanctions and measures, or no sanctions or measures at all, depending on which AML/CFT supervisor was responsible for taking the enforcement action. When enforcement action was taken, the EBA observed that enforcement processes were oftentimes lengthy, and the ensuing fines were low. Therefore, these systems were not fulfilling the principles of proportionality, effectiveness or dissuasion.
By way of example, the EBA observed that many AML/CFT supervisors, especially at the beginning of the EBA’s review cycle, had developed administrative sanctions tools that determined fixed fines for specific breaches of AML/CFT obligations by a bank. These fines were usually very low, and several minor breaches therefore triggered multiple fines of the same low level. Banks in these Member States told the review team that they factored these fines in as a cost of doing business, and there was an associated risk, which had crystallised in some cases, that sanctions for breaches that had not been listed in the sanctions tool could not be imposed.
Furthermore, not all AML/CFT supervisors reviewed by the EBA had powers to take enforcement action or impose corrective measures on banks which were in breach of their AML/CFT obligations. In several cases, the power to impose serious sanctions for AML/CFT breaches laid with an external body such as the public prosecutor or an external sanctions committee. Supervisors were not always represented or involved in these external bodies’ decision-making processes. In some Member States where the enforcement measures are taken by such external bodies, the EBA identified cases in which AML/CFT supervisors were reluctant to refer AML/CFT breaches, even serious ones, to these external bodies, due to, for instance, extensive process requirements, or to the need to provide evidence of criminality rather than systems and controls breaches.
In some Member States, the EBA observed that sanctions were not always published, or that they were published anonymously because it was considered that publishing the name of a bank was detrimental to the bank’s interests. The publication of supervisory measures and sanctions is, in general, an effective manner for AML/CFT supervisors to communicate their expectations to the private sector. Accordingly, the non-publication of such measures could significantly limit the deterrent effect the enforcement measures could have on firms.
Concerning follow-up measures, the EBA found that most of the AML/CFT supervisors had put in place different strategies to ensure that banks had addressed previously identified AML/CFT shortcomings. Some AML/CFT supervisors had systems in place to ensure that the follow-up was commensurate with the nature of the breach. However, many AML/CFT supervisors afforded little priority to following up on banks’ remedial actions and this undermined the overall effectiveness of AML/CFT supervisors’ supervisory measures. In addition, many AML/CFT supervisors did not appear to follow up systematically to satisfy themselves that banks had complied with enforcement measures. Instead, they relied on a desk-based assessment of documentation from banks about the corrective measures they had put in place, irrespective of the scale or severity of the breach or the level of ML/TF risk associated with the bank. This meant that those AML/CFT supervisors were unable to ascertain whether banks’ remediation was effective.
Only a few AML/CFT supervisors established objective criteria or a methodology to determine the seriousness of a breach and the nature and size of the sanction or corrective measure to be imposed as a result. However, the EBA observed several cases where the AML/CFT supervisor’s approach to imposing corrective measures or sanctions was not always consistent, even when the criteria and/or methodology were established previously.
5.2.ML/TF risk assessment including emerging risks and risk mitigation
This chapter gives an overview over the EBA’s work on the risk-based approach, on the identification of emerging ML/TF risks, and on de-risking.
5.2.1.EBA work on the risk-based approach (RBA)
Directive (EU) 2015/849 established the risk-based approach, at the heart of the implementation of AML/CFT measures in the European financial sector. The Directive made the RBA mandatory and provided that where the risk associated with the business relationship or occasional transaction is low, Member States may allow obliged entities to apply simplified customer due diligence (SDD) measures. Conversely, where the risk associated with the business relationship or occasional transaction is increased, obliged entities are to apply enhanced customer due diligence (EDD) measures.
The Directive did not set out in detail how obliged entities should assess the risk associated with a business relationship or occasional transaction, nor did it detail exactly what SDD and EDD measures entail. Instead, in its Articles 17 and 18(4), the Directive required the European Supervisory Authorities (ESAs) to issue guidelines to support credit and financial institutions to identify and assess the ML/TF risks they are exposed to, in line with the risk-based approach.
Consistently with this objective, the EBA issued its first ML/TF Risk Factors Guidelines in June 2017 ( 22 ), jointly with the EU supervisory authorities (European Securities and Markets Authority, ESMA and European Insurance and Occupational Pensions Authority, EIOPA). In March 2021, the EBA published a revised version of the ML/TF Risk Factors Guidelines ( 23 ). The aim of these guidelines is to promote the development of a common understanding, by credit and financial institutions and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied. They set out in detail how credit and financial institutions should identify, assess, and manage the ML/TF risks associated with individual business relationships and occasional transactions in a risk-based, proportionate and effective way. They identify and explain ML/TF risk factors linked to, respectively, customers; countries and geographical areas; products and services; and delivery channels.
The Risk Factors Guidelines also provide guidance to specific sectors, setting out risk factors which are particularly relevant for certain sectors such as correspondent banking, retail banking, e-money issuers, money remitters, wealth management, trade finance providers, insurance undertakings, investment firms and investment funds. The Risk Factors Guidelines also provided guidance on the risk-sensitive application of CDD measures by firms of these sectors.
In 2021, the EBA updated the Risk Factor Guidelines. This update was necessary to address new risks that had emerged since the guidelines were first published. It was also necessary to address common compliance challenges that the EBA had identified through its various interactions with EU supervisors and the private sector. Consequently, the revised Guidelines focussed, in particular, on four areas: 1. business-wide and individual ML/TF risk assessments; 2. customer due diligence measures including on the beneficial owner; 3. terrorist financing risk factors; and 4. new guidance on emerging risks, such as the use of innovative solutions for CDD purposes. As of September 2023, the EBA’s ML/TF Risk Factors Guidelines are again under revision, in order to extend their scope to crypto asset service providers (CASPs). Accordingly, the revised Guidelines will indicate the ML/TF risk factors that CASPs should take into account when entering into a business relationship or carrying out transactions in crypto assets.
5.2.2.Identification of emerging ML/TF risks by the EBA
(1)EBA’s subsequent Opinions on the ML/TF risks affecting the EU financial system
In February 2017 for the first time, the EBA published the Joint Opinion on the ML/TF risks affecting the internal market together with the EU supervisory authorities ESMA and EIOPA ( 24 ). Article 6(5) of Directive (EU) 2015/849 constitutes the legal basis for issuing this Joint Opinion. It serves to inform the Commission’s supranational risk assessment, the European Supervisory Authorities’ work on fostering supervisory convergence and a level playing field in the area of AML/CFT and Member States’ supervisors in their application of the risk-based approach to AML/CFT supervision. Since February 2017, the EBA has issued opinions on the EU’s ML/TF risks every two years. The most recent publication was issued in July 2023 ( 25 ).
In the first Joint Opinion of 2017, the ESAs considered that, at the time of writing, the Union’s financial sector was exposed to ML/TF risks arising from: a. ineffective AML/CFT systems and controls, which left firms vulnerable to abuse by financial criminals; b. firms taking advantage of significant differences in Member States’ approaches to AML/CFT regulation and oversight to obtain authorisation in Member States whose AML/CFT regime is perceived to be less demanding, with a view to passporting services to other Member States; c. lack of access to intelligence on terrorist suspects undermining efforts to curb terrorist financing; and d. high risk transactions being driven underground, as firms withdrew from offering services to less profitable customers that are associated with higher ML/TF risk (i.e. ‘cost of compliance’). The 2017 Joint Opinion concluded also that the appropriate level of ML/TF risk awareness and management expertise, which would allow a full implementation of the RBA, did not yet exist in all firms and all sectors at that time.
The second Joint Opinion on the ML/TF risks was published in October 2019 ( 26 ). The ESAs focused in particular on the ML/TF risks arising from the withdrawal of the United Kingdom (UK) from the EU; new technologies (i.e. both FinTech ( 27 ) and RegTech ( 28 )); virtual currencies; legislative divergence and divergent supervisory practices; weaknesses in internal controls; terrorist financing (already identified in the 2017 Joint Opinion); and de-risking.
One key challenge identified at that time was the uncertainty generated by the withdrawal of the UK from the EU and associated concerns regarding AML/CFT supervisors’ ability to adequately supervise the changing population of firms relocating to their Member States from the UK following the withdrawal of the UK from the EU.
The ESAs also examined the ML/TF risks prevalent in specific sectors – namely credit institutions, life insurance undertakings, life insurance intermediaries, e-money issuers (EMIs), payment institutions (PIs), credit providers (other than credit institutions, CPs), bureaux de change, investment firms, investment funds – and assessed the controls that institutions in these sectors put in place to mitigate the identified risks. For each sector, the ESAs looked at five subheadings related to: the inherent risk in the sector, the quality of controls and AML/CFT breaches in the sector, the overall risk profile of the sector, emerging risks in the sector and recommendations for the AML/CFT supervisors the ESAs issued to reduce the sector’s exposure to ML/TF risks and improve the quality of controls.
In March 2021 the Opinion on the ML/TF risks affecting the EU financial sector ( 29 ) was for the first time issued by the EBA alone as part of its new mandate to lead, coordinate and monitor the fight against ML/TF in the financial system at the EU level. ESMA and EIOPA were closely involved in the process. In the 2021 Opinion, the EBA carried out an assessment of how the risks identified in the second Joint Opinion – i.e. risks associated with virtual currencies (VCs), new technologies (FinTech and RegTech), terrorist financing (TF), ML/TF risks arising from the withdrawal of the UK from the EU and de-risking – have evolved since the previous publication in 2019. In addition, the 2021 EBA Opinion sets out risks associated with the supervision of crowdfunding service providers (CSPs) and crowdfunding platforms (CFPs), integrity risk associated with tax-related crimes and risks linked to the COVID-19 pandemic. Similarly to the 2019 edition, the 2021 Opinion assessed the ML/TF risks prevalent in specific sectors.
In the 2021 Opinion, the EBA observed that, in the view of AML/CFT supervisors across the EU, ML/TF risks associated with virtual currencies, new technologies and de-risking have further increased since 2019. For the VCs, risks identified were relating to growing customer demand, the often unregulated nature of associated products and services and associated lack of customer due diligence measures and a perception by AML/CFT supervisors of the limited overall understanding of ML/TF risks in the sector. Two important legislative changes took place since the second Joint Opinion 2019: 1. custodian wallet providers and providers engaged in exchange services between virtual and fiat currencies have become obliged entities under the AMLD5; and 2. Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets (the MICA Regulation) ( 30 ) has expanded the EU regulatory perimeter to a wide range of crypto-asset activities, including in relation to stablecoins, and will start to apply after a transitional period of 18 Months after the date of entry into force, that is on 30 December 2024. Regarding the ML/TF risks associated with new technologies, the 2021 Opinion highlighted ML/TF risks related to the perceived over‐reliance of some firms on outsourcing arrangements without adequate oversight, including with regard to AML/CFT solutions for transaction monitoring, customer screening, customer risk assessment and remote customer onboarding. These solutions pose a number of ML/TF risks, including identity fraud.
The most recent edition of the EBA’s Opinion on the ML/TF risks affecting the EU financial sector was published in July 2023 ( 31 ). In addition to the ML/TF risk analysis for specific financial sectors (i.e. credit institutions, payment institutions, investment firms, etc.), the report alerted on several cross-sectoral emerging risks. These included in particular non-compliance with, or circumvention of, EU restrictive measures which became an increasing concern since Russia’s invasion of Ukraine in February 2022 and the ensuing imposition of EU-level restrictive measures. Other emerging risks identified in the report include the laundering of proceeds from human trafficking, environmental crimes and cybercrimes. The report also acknowledged that awareness of ML/TF risks is increasing across all sectors under the EBA’s AML/CFT remit but alerted that the AML/CFT systems and controls institutions put in place are not always effective. As a new element in this most recent Opinion, the EBA issued 23 proposals to the EU co-legislators and national supervisors to address the risks identified and to strengthen the EU’s financial crime defences.
Last but not least, as de-risking was identified in all ESAs’ Joint Opinions as a concern, the EBA launched significant work aiming to establish the extent of de-risking within the EU, as well as its root causes and drivers ( 32 ).
(2)New EBA tool for identifying emerging ML/TF risks: the 9(a) risk assessment
With the new mandate of the EBA starting from January 2020 to ‘lead, coordinate and monitor’ AML/CFT efforts in the EU financial system and the ensuing revision of EBA’s founding Regulation, new tools and tasks were accorded to the EBA. Amongst these new ‘special tasks’ Article 9(a) of Regulation (EU) 1093/2010 mandated the EBA to “perform risk assessments of the strategies, capacities and resources of competent authorities to address the most important emerging risks related to money laundering and terrorist financing (ML/TF) at Union level as identified in the supranational risk assessment (SNRA)”.
In December 2020, the EBA’s Board of Supervisors adopted the EBA’s methodology for risk assessments under Article 9a(5) ( 33 ). According to this methodology, the 9a(5) risk assessments are led by EBA staff. They are a fact-finding tool to assess and support the ability of all competent authorities or a cross-section of competent authorities to address specific, strategic, emerging ML/TF risks. Emerging risks include new risks that have not been identified before, and existing risks that have significantly increased or taken on a new significance.
The first emerging risks identified during EBA’s new mandate were the risks associated with the COVID-19 pandemic. These risks affected financial institutions’ ability to ensure adequate AML/CFT compliance, and competent authorities’ ability to ensure the ongoing supervision of financial institutions in the context of restrictions on movement. The EBA issued a statement ( 34 ) in March 2020 in which EBA reminds credit and financial institutions that it remains important to continue to put in place and maintain effective systems and controls to ensure that the EU’s financial system is not abused for ML/TF purposes even in times of crisis such as the COVID-19 outbreak. The same message was reiterated in EBA’s first AML/CFT Newsletter issued on 15 May 2020 ( 35 ), where EBA, amongst other measures, called on authorities that are responsible for the AML/CFT supervision of credit and financial institutions under Directive (EU) 2015/849 to support credit and financial institutions’ ongoing AML/CFT efforts during this pandemic by: 1. Making clear that financial crime remains unacceptable, even in times of crisis such as the COVID-19 outbreak; 2. Continuing to share information on emerging ML/TF risks and setting clear expectations of the steps credit and financial institutions should take to mitigate those risks; 3. Considering how to adapt the use of their supervisory tools temporarily to ensure ongoing compliance by credit and financial institutions with their AML/CFT obligations.
In 2021, the EBA carried out its first inquiry under Article 9a(5) using the full methodology referred to above. It covered the responses of European AML/CFT competent authorities to the risks identified as part of the information contained in the ‘Luanda Leaks’, as released by the International Consortium of Investigative Journalists (ICIJ) in January 2020. The EBA’s findings of this inquiry were made public early 2022 ( 36 ). The main risks identified through the Luanda leaks are the risks that 1. persons, or their associates with qualifying holdings in credit or financial institutions, may misuse the credit or financial institution in their jurisdiction to launder the proceeds from corruption; 2. companies, that were beneficially owned or controlled by certain persons, or their associates, may be customers of credit and financial institutions registered in their jurisdiction, and used to launder the proceeds from corruption and 3. the risk that credit and financial institutions fail to identify customers or beneficial owners that are high-risk politically exposed persons, or are owned and controlled by persons from high ML/TF risk jurisdictions.
The EBA also keeps abreast of new, emerging ML/TF risks in the EU financial sector through EBA’s continuous interaction with AML/CFT supervisors across Member States. On 22 March 2022, the EBA issued a statement ( 37 ) following Russia’s invasion of Ukraine, underscoring the need for European banks and other financial institutions to implement and comply with the restrictive measures adopted by the EU in response to the Ukrainian crisis. The statement also reminded that the EU Ministers activated the Temporary Protection Directive ( 38 ) introducing temporary protection and support to persons fleeing Ukraine as a consequence of the war. National competent authorities should ensure that, in line with the Payment Accounts Directive (2014/92/EU), displaced persons from Ukraine have access to open and use payment accounts with basic services. It also emphasized that financial institutions should follow a risk-based approach when providing financial products in this situation and take advantage of the flexibility enshrined in the EU AML/CFT Directive as well as in the EBA’s ML/TF Risk Factors Guidelines and the EBA Opinion on the application of customer due diligence measures to customers who are asylum seekers ( 39 ).
Finally, the most recent 9a(5) risk assessment, published in July 2023, aimed to identify and assess ML/TF risks associated with the specific sector of payment institutions ( 40 ). More specifically, the purpose was to assess the scale and nature of ML/TF risks of the payment institutions as a sector; the adequateness of the internal AML/CFT systems and controls put in place by the sector to tackle those risks and the current AML/CFT supervisory approaches regarding the sector. Results of the risk assessment revealed certain shortcomings in the quality of AML/CFT controls and measures put in place by payments institutions, and also in the current supervisory approaches.
5.2.3.EBA’s work on de-risking
Neither the EBA’s subsequent Risk Factors Guidelines, nor the risk-based approach mandated by the AMLD require the wholesale exiting of entire categories of customers irrespective of the ML/TF risk associated with individual business relationships or occasional transactions. This phenomenon is called ‘de-risking’.
De-risking refers to a decision taken by financial institutions to refuse to onboard or to discontinue servicing existing customers that they associate with higher ML/TF risk. While it is right that firms should not take on risks they cannot manage, it is primordial that such decisions are based on risk assessments on individual customers on a case-by-case basis instead of deciding on entire categories or groups of customers.
The scale of de-risking was brought to EBA’s attention by EBA’s external stakeholders, who responded massively to EBA’s public call for input, sharing their experience and raising significant concerns of ‘de-risking’, as an erroneous interpretation and application of the risk-based approach.
Based on the information gathered, as well as through further exchanges with supervisors across EU Member States, the EBA completed an assessment of the scale and impact of de-risking across the EU with the aim to better understand why institutions decide to de-risk particular categories of customers instead of managing the risks associated therewith.
In January 2022, the EBA published its findings on de-risking in form of a report and an EBA Opinion ( 41 ). The EBA found that de-risking occurs across the EU and affects different types of customers or potential customers of credit and financial institutions, including specific segments of the financial sector such as respondent banks, payment institutions (PIs) and electronic money institutions (EMIs), as well as certain categories of individuals or entities that can be associated with higher ML/TF risks, for example asylum seekers from high ML/TF risk jurisdictions or non-profit organisations (NPOs). While the impact and scale of de-risking within different categories of customers vary, de-risking can lead to adverse economic outcomes or amount to financial exclusion. Financial exclusion is of concern, as access to at least basic financial products and services is a prerequisite for participation in modern economic and social life.
Main drivers of de-risking include situations where ML/TF risks or reputational risks exceed institutions’ risk appetite, where the institutions lack the relevant knowledge or expertise to assess the risks associated with specific business models or where the real or expected cost of compliance exceeds profits.
In the referred Opinion, EBA found that, in making decisions to de-risk certain customers or categories of customers, institutions may face conflicting provisions in EU law, in particular in relation to Directive (EU) 2015/849 (AMLD), Directive (EU) 2014/92 on access to payment accounts with basic features (PAD) and Directive (EU) 2015/2366 on payment services in the internal market (PSD2). Accordingly, and in addition to EBA’s engagement with national supervisors to monitor the progress made to tackle unwarranted de-risking ( 42 ) at Member State level, the EBA issued in March 2023 two new sets of guidelines. The first set (the Guidelines on effective management of ML/TF risks when providing access to financial services ( 43 )), aim to clarify the steps financial institutions should take to make sure that the application of robust AML/CFT controls does not prevent customers’ legitimate access to financial services. The second set (which consists of an Annex to the EBA’s existing ML/TF Risk Factors Guidelines) is dedicated to NPOs and aims to clarify the factors financial institutions should consider when assessing the ML/TF risks associated with a business relationship with customers that are NPOs. This is to contribute to preventing unwarranted obstacles to the delivery of assistance or humanitarian relief. Together, these guidelines foster a common understanding throughout the Union on what institutions should do to tackle ML/TF risks effectively while taking care not to deny customers access to financial services without good reasons. These guidelines were complemented by the publication, in July 2023, of a joint EBA/European Commission factsheet ( 44 ) to help NPOs understand what information they might have to provide to access financial services.
5.3.NCAs and FIUs – Information access and cooperation
Important steps have been taken since the adoption of Directives (EU) 2015/849 and (EU) 2018/843 to improve information access and supervisory cooperation, with, in particular, the 2019 ESAs Joint Guidelines on AML/CFT Colleges, the 2019 Multilateral Agreement between the ECB and competent authorities, and, as part of EBA’s AML/CFT expanded mandate since 2020 (i) the 2021 EBA AML/CFT Cooperation Guidelines, (ii) EBA’s AML/CFT database named “EuReCA”, and (iii) work on strengthening cooperation between AML/CFT and prudential supervisors.
5.3.1.Cooperation and information exchange between competent authorities for AML/CFT supervision, including the establishment of AML/CFT Colleges
Directive (EU) 2015/849 required AML/CFT competent authorities and financial intelligence units, as well as other public authorities involved in the fight against ML/TF to cooperate in the fight against financial crime. It did not extend that requirement to other stakeholders, including prudential supervisors. It also did not introduce specific cooperation gateways, which meant that in practice, cooperation was hampered by real or perceived legal obstacles. Directive (EU) 2018/843 introduced an explicit requirement to not prohibit or unreasonably restrict the exchange of information or cooperation between competent authorities for AML/CFT supervision purposes, but it did not establish a framework to support supervisory cooperation or information exchange.
Against this background, in 2019, the three ESAs published Joint Guidelines on AML/CFT Colleges ( 45 ) on their own initiative. The purpose of these guidelines was to clarify the practical modalities of supervisory cooperation and information exchange, and to create a common framework that supervisors should use to support effective oversight of cross-border groups from an AML/CFT perspective and also from a more general prudential perspective. Importantly, these Guidelines created a framework for the establishment of AML/CFT colleges.
AML/CFT colleges are permanent structures for cooperating and exchanging information between the competent authorities responsible for the supervision of financial institutions that operate on a cross border basis in at least three different Member States, including third-country undertakings with EU establishments in at least three Member States. The establishment of AML/CFT colleges, separately from the already existing colleges of prudential supervisors, was necessary to exchange specific information on ML/TF risks, including emerging risks, related to financial institutions, with supervisors that are responsible for the AML/CFT supervision of the same firm. Prudential supervisors are invited to participate in AML/CFT colleges as observers. The Guidelines provided a two-year transition period during which competent authorities were expected to put in place all elements and set up colleges on a risk sensitive basis, before the Guidelines fully entered into force as of 10 January 2022. In situations where the conditions for setting up an AML/CFT college were not met, the Guidelines defined the process for bilateral exchanges of information between supervisors.
As part of its coordinating role on AML/CFT related issues, the EBA published in December 2020 its first Report on the functioning of AML/CFT Colleges ( 46 ). At that time, only 10 AML/CFT colleges had been established for EU banks, however, the report acknowledged that the two‐year transition period, at the end of which all colleges should be set up, had not passed yet at the moment of the publication. This first report summarised the EBA’s observations in respect of the mapping of financial institutions, composition of AML/CFT colleges, written cooperation and information sharing agreements and meetings of the AML/CFT colleges and highlighted areas that might require more focus from supervisors when setting up AML/CFT colleges in future. In addition, the report provided examples of good practices observed that all AML/CFT supervisors should consider adopting to ensure effective cooperation within the colleges.
The second EBA report on AML/CFT colleges was published in September 2022 ( 47 ), and indicated that, during the year 2021, a total of 120 new AML/CFT colleges were established. The report highlighted that in most colleges the discussions focused on the institution’s exposure to ML/TF risks, early signals of emerging risks, supervisory activities and administrative sanctions or measures. The report also formulated six action points, for EU supervisors attending the college meetings, in order to make the AML/CFT colleges network more efficient and useful.
In August 2023, the most recent EBA report on AML/CFT colleges was published ( 48 ) highlighting that the number of fully operating colleges had increased to 229 by end of December 2022. The EBA found that EU supervisors had taken important steps to make AML/CFT colleges useful and effective. A structured approach to organising college meetings had contributed to the exchange of more substantive, actionable information than was the case previously, and prudential supervisors and FIUs had actively participated in most AML/CFT colleges, to which they had been invited. In several colleges the quality of discussions was greatly enhanced, and the lead supervisor was leading these discussions much more effectively. The report also looked at what actions AML/CFT supervisors have made to address the six action points formulated previously. While it recognised the significant progress made in establishing the AML/CFT colleges, it highlighted the continuous need for more awareness raising on the benefits of information exchange through such colleges, to enhance participation from third country observers and to further adjust the nature and frequency of AML/CFT college meetings to the ML/TF risks to which the financial institution is exposed.
More broadly, the EBA observed that supervisors across the EU are committed to implementing the AML/CFT colleges framework effectively. This became evident from the resources allocated to work on the establishment and implementation of AML/CFT colleges and from the supervisors’ engagement at the college meetings. EBA staff also observed that supervisors’ participation in AML/CFT colleges enhanced cooperation, with an increasing number of exchanges of information between supervisors within the AML/CFT colleges. AML/CFT colleges are, by now, also identified as best practice by international standard setters such as the BCBS and the FATF.
In addition to fulfilling its legal duty to lead, coordinate and monitor the AML/CFT efforts across the EU, the EBA is also a permanent member in all AML/CFT colleges. By 15 September 2023, the total number of AML/CFT colleges reached 274. The EBA has been providing hands-on bilateral feedback during the AML/CFT college meetings it attended as required, and has facilitated the negotiation of framework terms of participation for AML/CFT college observers and third-country authorities. Given the increasing number of AML/CFT colleges, the EBA put in place, as of 2022, a strategy for its AML/CFT colleges’ monitoring, whereby EBA started actively monitoring 15 AML/CFT colleges and selected 10 other AML/CFT colleges annually for thematic monitoring. To select the AML/CFT colleges for the different types of monitoring, the EBA set out specific criteria which include the inherent ML/TF risk exposure of the sector, the ML/TF risk rating of the institution and the scope of the institution’s cross-border operations ( 49 ).
5.3.2.The EBA’s AML/CFT Cooperation Guidelines
Directive (EU) 2019/878 ( 50 ) (“CRD5”) introduced an explicit cooperation obligation between prudential supervisors, AML/CFT supervisors, and financial intelligence units into Directive 2013/36/EU (“CRD4”) ( 51 ) and removed legal barriers to effective information exchange between those authorities that were linked to confidentiality rules, provided that such cooperation and information exchange do not impinge on an ongoing inquiry, investigation or proceedings in accordance with the criminal or administrative law of the Member State where such authorities are located. More specifically, Article 117(6) of CRD4 as amended by CRD5 mandated the EBA to develop guidelines specifying the manner for cooperation and information exchange between prudential supervisors, AML/CFT supervisors, and financial intelligence units, particularly in relation to cross-border groups and in the context of identifying serious breaches of anti-money laundering rules. To fulfil this mandate, the EBA published its AML/CFT Cooperation Guidelines ( 52 ) in December 2021. The Guidelines, in application since 1 June 2022, require that the cooperation and information exchange should happen throughout the supervisory life cycle covering authorisation, qualifying holding assessments, assessments of suitability of members of the management body and key function holders, ongoing supervision including assessment of internal controls and risk management systems and the imposition of supervisory measures and sanctions and the withdrawal of the authorisation.
Findings of a 2022 survey conducted by the EBA showed that AML/CFT supervisors in all Member States ‘intend to comply’ with the EBA’s AML/CFT Cooperation Guidelines; 14 respondents reported that they were already fully compliant, out of which nine indicated that they did not need any further update of their internal processes and procedures as they had already been aligned previously, and five confirmed that they completed the necessary updates in their internal processes and procedures to become compliant with the guidelines as of September 2022; the remaining 12 responding NCAs indicated that the updates are ongoing in order to comply with the guidelines, and one NCA responded that they have not started measures towards compliance with the guidelines but they intended to do so in the future. These findings are in line with the results of EBA’s findings of its so-called ‘implementation reviews’, which suggest that cooperation between prudential and AML/CFT supervisors has become a priority in Member States. In addition, EBA findings indicated an increasing level of cooperation with FIUs, however, challenges remain in certain Member States in this regard.
5.3.3.Multilateral Agreement between the ECB and competent authorities
As mentioned previously, the amendment introduced into AMLD4 by AMLD5 also required that AML/CFT competent authorities and financial intelligence units as well as other public authorities involved in the fight against ML/TF have in place effective mechanisms to cooperate. More specifically, its Article 57a(2) requires the ESAs to facilitate an agreement between the ECB and national AML/CFT competent authorities on the practical modalities for exchange of information. The ESAs negotiated a Multilateral Agreement on this basis and published it in January 2019. It has since been signed by the ECB and competent authorities, allowing for structured bilateral exchanges of information between the ECB and more than 50 national AML/CFT supervisors in the European Economic Area (EEA). This includes regular submissions on both sides relating to obliged entities.
Since January 2019, the ECB has used these agreements to engage in more than 1.000 individual information exchanges with the more than 50 national AML/CFT authorities of the EEA. As stipulated in the AML Multilateral Agreement, the ECB and the AML/CFT authorities exchange information that is relevant for the completion of their respective tasks either on their own initiative or upon request. The information shared by AML/CFT authorities concerns in particular the ML/TF risk assessment performed by AML/CFT authorities, information related to AML sanctions and information related to subsidiaries that are perceived as high-risk from an ML/TF perspective. The ECB in return inter alia shares relevant excerpts of the annual Supervisory Review and Evaluation Process (SREP) decisions, of on-site inspection reports, and of breach reports. The information provided by AML/CFT authorities to the ECB directly feeds into the different ECB supervisory processes, in particular into the SREP analysis, fit and proper (FAP) assessments and authorisation procedures. In this context the ECB has, among others, taken SREP measures targeting the prudential root causes of ML/TF concerns, has imposed ancillary provisions to deal with ML/TF concerns in FAP procedures and authorization decisions, and has taken negative authorisation decisions including the withdrawal of a bank license.
5.3.4. Further improvements as part of EBA’s AML/CFT expanded mandate since 2020 (EuReCa database and work on improving synergies between AML/CFT and prudential supervision)
Since 2020, the EBA’s AML/CFT mandate has been expanded to require it to lead, coordinate and monitor the AML/CFT efforts of all EU financial services providers and competent authorities. As part of this mandate, the EBA has taken a series of important initiatives to further strengthen cooperation and information exchange in the EU, including the establishment of the first European AML/CFT database, and efforts to embed ML/TF risks in all areas of EBA’s work to ensure a holistic approach to tackling ML/TF risk across all aspects of supervision, and across all stages of an institution’s life cycle:
(1)EBA’s AML/CFT database: ‘EuReCA’
EuReCA stands for European reporting system for material counter-terrorist financing and anti-money laundering weaknesses. This is the EBA’s central AML/CFT database, operational since January 2022.
EuReCA contains information on serious shortcomings that competent authorities have identified in individual financial institutions that affect these institutions’ ability to tackle ML/TF risks effectively. It also contains information on the measures authorities have taken in response to these serious shortcomings. AML/CFT supervisors and prudential supervisors in Member States (including the ECB) are now reporting data to EuReCA.
The EBA shares information from EuReCA with individual competent authorities on its own initiative and on request to support them at all stages of the supervisory process. It also uses EuReCA to identify specific risks and trends at the sectoral and European level. As such, EuReCA can act as an early warning tool that will help competent authorities to act before the ML/TF risks crystallise. As of 15 September 2023, EuReCA has received 924 submissions in total, including 608 material weaknesses and 316 measures. These submissions concerned 210 entities; mainly credit institutions and payment institutions. So far, 36 AML/CFT and prudential authorities (including the ECB) have reported data. The serious deficiencies reported by AML/CFT supervisors mainly related to CDD measures, inadequate or missing on-going monitoring and the transaction monitoring system. With regard to the prudential supervisors, the weaknesses reported at this stage where mostly identified through regular off-site monitoring, mainly from the SREP process ( 53 ).
In addition, EBA is responding to ‘reasoned requests’, which are requests for information by supervisory authorities to the EBA regarding specific institutions under their supervision, to inquire about information which EuReCA may contain in relation to the specific institution.
(2)Work conducted by the EBA on tackling ML/TF risk through prudential supervision
The EBA has made significant efforts as part of its extended mandate to embed the assessment and mitigation of ML/TF risks in all areas of financial supervision, including by setting out how prudential supervisors should consider ML/TF risks in the context of the Supervisory Review and Evaluation Process, SREP ( 54 ). The SREP Guidelines have undergone a revision with the objective of specifying how to take into account ML/TF risks throughout the process and were finally published on 18 March 2022 ( 55 ).
In its continuous efforts to consider ML/TF risks in all areas of its competence, the EBA revised and subsequently published in July 2021 its Joint Guidelines on the assessment of the suitability of members of the management body and key functions holders ( 56 ). These joint guidelines, applicable to credit institutions and investment firms, were revised, amongst others, to include elements of the assessment of the suitability in the context of the ML/TF risk factors. In addition, the EBA also revised and published, in July 2021, its Internal governance Guidelines ( 57 ) in order to add additional elements that aim to foster a sound risk culture implemented by the management body, to strengthen the management body’s oversight of the institution’s activities and to strengthen the risk management frameworks of institutions, e.g. by including the aspect of ML/TF risk factors.
Overall, through the implementation reviews, EBA observed a positive impact of the above-mentioned EBA efforts to embed ML/TF risks in the prudential supervisory work. After the publication of the Opinion and Guidelines referred to above, the EBA found that awareness on the synergies that exist between AML/CFT and prudential supervision had significantly increased. The information exchanges between national AML/CFT supervisors and prudential supervisors have intensified. In most cases, the EBA observed the establishment of new processes between national stakeholders aiming to make the information flows more fluid and regular. The EBA found that some of the prudential supervisors in Member States started involving, in a systematic manner, AML/CFT experts in their specific processes, such as the assessment of applications for authorisations, the acquisition of qualifying holdings, or fitness and propriety.
However, the EBA noted through the series of implementation reviews, and a review of competent authorities’ implementation of its qualifying holding guidelines, that this practice has not yet been adopted in all Member States. In many cases, prudential supervisory staff did not appear to understand ML/TF risks sufficiently to be able to identify issues of concern, yet, not in all instances AML/CFT experts were consulted, or even when they were consulted, AML/CFT experts were not always involved in discussions about the severity of the issues they had identified and the impact of such issues on prudential objectives. The EBA also observed that prudential supervisors did not always share information with their AML/CFT counterparts in a sufficiently timely manner and, in some cases, prevented AML/CFT supervisors from sharing information with their AML/CFT counterparts. The EBA expects that these shortcomings will be addressed as prudential authorities implement relevant guidelines.
From the point of view of the ECB the cooperation between the ECB and AML/CFT authorities has improved significantly, which is due to, inter alia, the Multilateral Agreement between the ECB and the AML/CFT competent authorities on the practical modalities for exchange of information that was mandated by AMLD5.