EUROPEAN COMMISSION
Brussels, 20.7.2021
COM(2021) 420 final
2021/0239(COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
(Text with EEA relevance)
{SEC(2021) 391 final} - {SWD(2021) 190 final} - {SWD(2021) 191 final}
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Money laundering and terrorist financing pose a serious threat to the integrity of the EU economy and financial system and the security of its citizens. Europol has estimated that around 1% of the EU’s annual Gross Domestic Product is ‘detected as being involved in suspect financial activity’. In July 2019, following a number of prominent cases of alleged money laundering involving credit institutions in the Union, the Commission adopted a package analysing the effectiveness of the EU Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) regime as it stood at that time, and concluding that reforms were necessary. In this context, the EU’s Security Union Strategy for 2020-2025 highlighted the importance of enhancing the EU’s framework for anti-money laundering and countering terrorist financing in order to protect Europeans from terrorism and organised crime.
On 7 May 2020 the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing. In that Action Plan, the Commission committed to take measures in order to strengthen the EU’s rules on combating money laundering and terrorist financing and their implementation and defined six priorities or pillars:
1.
Ensuring effective implementation of the existing EU AML/CFT framework,
2.
Establishing an EU single rulebook on AML/CFT,
3.
Bringing about EU-level AML/CFT supervision,
4.
Establishing a support and cooperation mechanism for FIUs,
5.
Enforcing EU-level criminal law provisions and information exchange,
6.
Strengthening the international dimension of the EU AML/CFT framework.
While pillars 1, 5 and 6 of the Action Plan are being implemented, the other pillars demand legislative action. This proposal for a Regulation is part of an AML/CFT package of four legislative proposals that is considered as one coherent whole, in implementation of the Commission Action Plan of 7 May 2020, creating a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:
–this proposal for a Regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF);
–a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
–a proposal for a Regulation creating an EU Authority for anti-money laundering and countering the financing of terrorism (‘AMLA’), and
–a proposal for the recast of Regulation (EU) 2015/847 expanding traceability requirements to crypto-assets.
This present legislative proposal, together with a proposal for a Directive and a proposal for a recast of Regulation (EU) 2015/847, fulfils the objective of establishing an EU single rulebook (pillar 2).
Both the European Parliament and the Council lent their support to the plan set out by the Commission in the May 2020 Action Plan. In its resolution of 10 July 2020, the European Parliament called for strengthening Union rules and welcomed plans to overhaul the EU AML/CFT institutional set-up. On 4 November 2020, the ECOFIN Council adopted Conclusions supporting each of the pillars of the Commission’s Action Plan.
The need for harmonised rules across the internal market is corroborated by the evidence provided in the 2019 reports issued by the Commission. These reports identified that whereas the requirements of Directive (EU) 2015/849 are far-reaching, their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations. This situation does not allow dealing effectively with cross-border situations and are therefore ill-suited to adequately protect the internal market. It also generates additional costs and burdens for operators providing cross-border services and causes regulatory arbitrage.
To address the above issues and avoid regulatory divergences, all rules that apply to the private sector have been transferred to this proposal for an AML/CFT Regulation, whereas the organisation of the institutional AML/CFT system at national level is left to a Directive, in recognition of the need for flexibility for Member States in this area.
However, the present proposal does not simply transfer provisions from the existing AML/CFT Directive to a Regulation; a number of changes of substance are made in order to bring about a greater level of harmonisation and convergence in the application of AML/CFT rules across the EU:
–in order to mitigate new and emerging risks, the list of obliged entities is expanded to include crypto-asset service providers but also other sectors such as crowdfunding platforms and migration operators;
–to ensure consistent application of rules across the internal market, requirements in relation to internal policies, controls and procedures are clarified, including in the case of groups, and customer due diligence measures are made more granular, with clearer requirements according to the risk level of the customer;
–the requirements in relation to third countries are reviewed to ensure that enhanced due diligence measures are applied to those countries that pose a threat to the Union’s financial system;
–requirements in relation to politically exposed persons are subject to minor clarifications, particularly as regards the definition of a politically exposed person;
–beneficial ownership requirements are streamlined to ensure an adequate level of transparency across the Union, and new requirements are introduced in relation to nominees and foreign entities to mitigate risks that criminals hide behind intermediate levels;
–to guide more clearly reporting of suspicious transactions, red flags raising suspicion are clarified, whereas disclosure requirements and private-to-private sharing of information remain unaltered;
–in order to ensure full consistency with EU data protection rules, requirements for the processing of certain categories of personal data are introduced and a shorter time-limit is provided for retention of personal data;
–the measures to mitigate the misuse of bearer instruments are strenghtened and a provision limiting the use of cash for large transactions is inserted in light of the proven low effect of the current approach relying on traders in goods for implementing AML/CFT requirements in relation to large cash payments.
Having directly-applicable AML/CFT rules in a Regulation, with more detail than at present in Directive (EU) 2015/849, will not only promote convergence of application of AML/CFT measures across Member States, but will also provide a consistent framework against which AMLA will be able to monitor the application of such rules in its function as a direct supervisor of certain obliged entities.
•Consistency with existing policy provisions in the policy area
This proposal takes as its starting point the existing Directive (EU) 2015/849, as amended by Directive (EU) 2018/843. While it follows the current risk-based and comprehensive approach, it deepens and enhances it with a view to bringing about greater effectiveness and cross-border consistency of application of AML/CFT requirements. Building on the amendments introduced by Directive 2018/843, it streamlines beneficial ownership transparency across the internal market, addressing those aspects where a lack of granularity had created possibilities for criminals to exploit the weakest link. This proposal must be seen as part of a package, with the other legislative proposals which accompany it, fully consistent with one another.
This proposal is consistent with the latest amendments to the recommendations of the Financial Action Task Force (FATF), and in particular in relation to the expansion of the scope of entities subject to AML/CFT requirements to include crypto-asset service providers and measures to be taken by obliged entities to assess and mitigate the risks of evasion of targeted financial sanctions. In line with FATF standards, this proposal ensures a consistent approach across the Union to the mitigation of risks deriving from bearer shares and bearer share warrants. Going beyond FATF standards, it tackles risks that are specific to the Union or that have Union-level impacts, such as those deriving from migration schemes or from large cash payments.
•Consistency with other Union policies
EU legislation on AML/CFT interacts with several pieces of EU legislation in the financial services and criminal law areas. This includes EU legislation on payments and transfers of funds (Payment Services Directive, Payment Accounts Directive, Electronic Money Directive). Some examples of how coherence with other EU legislation has been ensured are the following:
–The inclusion of crypto asset service providers among the entities subject to AML/CFT rules and the introduction of information requirements for transfers of virtual assets will complement the recent Digital Finance Package of 24 September 2020 and will ensure full consistency between the EU framework and FATF standards.
–The approach taken to identifying entities subject to AML/CFT rules will also ensure consistency with the recently adopted Regulation on European crowdfunding service providers, in that it subjects to EU AML/CFT rules crowdfunding platforms falling outside the scope of that Regulation, given that certain AML/CFT safeguards are contained in that Regulation for crowdfunding platforms subject to it.
–The amendments to rules on Customer Due Diligence (CDD) include provisions to better frame CDD in cases where remote customer onboarding is carried out, coherent with the Commission’s proposed amendment to the eIDAS Regulation in relation to a framework for a European Digital Identity, including European digital identity wallets and relevant trust service, in particular electronic attestations of attributes. This is in line with the Digital Finance Strategy.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
This proposal for a regulation is based on Article 114 TFEU, the same legal basis as the current EU AML/CFT legal framework. Article 114 is appropriate considering the significant threat to the internal market caused by money laundering and terrorist financing, and the economic losses and disruption of functioning of the single market and reputational damage on a cross-border level which this can create at the level of the Union.
•Subsidiarity
In accordance with the principles of subsidiarity and proportionality as set out in Article 5 of the Treaty on European Union, the objectives of the proposal cannot be sufficiently achieved by Member States and can therefore be better achieved at the Union level. The proposal does not go beyond what is necessary to achieve those objectives.
The 2019 Commission AML package highlighted how criminals have been able to exploit the differences among Member States’ AML/CFT regimes. Flows of illicit money and terrorist financing can damage the stability and reputation of the Union financial system and threaten the proper functioning of the internal market. Measures adopted solely at national level could have adverse effects on the internal market and contribute to fragmentation. EU action is justified in order to maintain a level playing field across the Union – with entities in all Member States subject to a consistent set of anti-money laundering and combating terrorist financing obligations. The cross-border nature of much money laundering and terrorist financing makes good cooperation between national supervisors and FIUs essential to prevent these crimes. Many entities subject to AML obligations have cross-border activities, and different approaches by national supervisors and FIUs hinder them in achieving optimal AML/CFT practices at group level.
•Proportionality
Proportionality has been an integral part of the impact assessment accompanying the proposal and all the proposed options in different regulatory fields have been assessed against the proportionality objective. The cross-border nature of much money laundering and terrorist financing requires a coherent and consistent approach across Member States based on a single set of rules in the form of a single rulebook. However, the present proposal does not adopt a maximum harmonisation approach, as being incompatible with the fundamental risk-based nature of the EU’s AML/CFT regime. In areas where specific national risks justify it, Member States remain free to introduce rules going beyond those laid out in the present proposal.
•Choice of the instrument
A Regulation of the European Parliament and of the Council is an appropriate instrument to contribute to the creation of a single rulebook, being directly and immediately applicable, and thus removing the possibility of differences in application in different Member States due to divergences in transposition. A directly-applicable set of rules at EU level is also needed in order to allow EU-level supervision of certain obliged entities, which is proposed in the draft regulation creating AMLA accompanying the present proposal.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Ex-post evaluations/fitness checks of existing legislation
A full ex-post evaluation of the current EU AML/CFT regime has not yet taken place, against the background of a number of recent legislative developments. Directive (EU) 2015/849 was adopted on 20 May 2015, with a transposition deadline for Member States of 26 June 2017. Directive (EU) 2018/843 was adopted on 30 May 2018, with a transposition deadline of 10 January 2020. Transposition control is still ongoing. However, the Commission Communication of July 2019 and accompanying reports referred to above serve as an evaluation of the effectiveness of the EU AML/CFT regime as it stood at that point in time.
•Stakeholder consultations
The consultation strategy supporting this proposal was composed of a number of components:
–A consultation on the roadmap announcing the Commission’s Action Plan. The consultation, on the Commission’s Have Your Say portal, ran between 11 February and 12 March 2020, and received 42 contributions from a range of stakeholders;
–A public consultation on the actions put forward in the Action Plan, open to the general public and all stakeholder groups, launched on 7 May 2020, and open until 26 August. The consultation received 202 official contributions;
–A targeted consultation of Member States and competent AML/CFT authorities. Member States had the opportunity to give their views in various meetings of the Expert Group on Money Laundering and Terrorist Financing, and EU FIUs made input in meetings of the FIU Platform and via written papers. The discussions were supported by targeted consultations of Member States and competent authorities, using questionnaires;
–A request for advice from the European Banking Authority, made in March 2020; the EBA provided its opinion on 10 September;
–On 23 July 2020, the EDPS issued an opinion on the Commission’s Action Plan;
–On 30 September 2020, the Commission organised a high-level conference, bringing together representatives from national and EU authorities, MEPs, private sector and civil society representatives and academia.
Stakeholder input on the Action Plan was broadly positive.
•Collection and use of expertise
In preparing this proposal, the Commission relied on qualitative and quantitative evidence collected from recognised sources, including technical advice from the European Banking Authority. Information on enforcement of AML rules was also obtained from Member States via questionnaires.
•Impact assessment
This proposal is accompanied by an impact assessment, which was submitted to the Regulatory Scrutiny Board (RSB) on 6 November 2020 and approved on 4 December 2020. The same impact assessment also accompanies the other legislative proposals which are presented together with the present proposal. The RSB proposed various presentational improvements to the impact assessment in its positive opinion; these have been made.
In the impact assessment the Commission considered three problems: lack of clear and consistent rules, inconsistent supervision across the internal market and insufficient coordination and exchange of information among FIUs. The first of those problems is relevant for the present proposal; on that problem the following options were considered:
1. EU rules would remain as they are with no modifications;
2. Ensure a greater level of harmonisation in the rules that apply to obliged entities and leave it to Member States to detail the powers and obligations of competent authorities;
3. Ensure a greater level of harmonisation in the rules that apply to entities subject to AML/CFT obligations and the powers and obligations of supervisors and FIUs;
Based on the outcome of the impact assessment, option 3 is the preferred option. By introducing a consistent and more granular approach to the rules at EU level, it would allow to remove the current fragmentation both as regards AML/CFT obligations for obliged entities, and the activities of competent authorities. For obliged entities which are active cross-border, it will bring about a level playing field as regards AML/CFT rules and involve savings in implementation costs. Greater detection and deterrence of ML/TF will be promoted.
Annex VI of the Impact Assessment examines the different areas for greater harmonisation of rules, including the list of obliged entities, CDD measures, CDD threshold for occasional transactions, AML/CFT policies, controls and procedures requirements, Crypto-Asset Service Providers and beneficial ownership transparency.
Annex VIII of the Impact Assessment analyses a revised approach to third countries which pose a threat to the Union’s financial system and to the internal market as a whole; the present proposal implements that new approach.
Annex IX of the Impact Assessment analyses the introduction of limits to large cash transactions; the present proposal implements that new approach.
•Regulatory fitness and simplification
Although, as noted above, no formal ex-post evaluation or fitness check of existing EU AML/CFT legislation has yet taken place, a number of points can be made with regard to elements of the proposal which will further simplification and improve efficiency. Firstly, the replacement of certain rules in a Directive with more harmonised and directly applicable rules in a Regulation will remove the need for transposition work in the Member States and facilitate doing business for cross-border entities in the EU. Moreover, the removal from the scope of the EU AML/CFT framework of traders in goods, linked to the proposed prohibition on cash operations over EUR 10 000, will release such traders from the administrative burden of applying AML/CFT requirements in relation to cash operations exceeding EUR 10 000. Finally, the greater degree of harmonisation of AML rules in a number of specific areas will facilitate the implementation of group-wide internal policies, controls and procedures across the internal market.
•Fundamental rights
The EU is committed to ensuring high standards of protection of fundamental rights. In particular, safeguards for the handling of personal data by obliged entities are introduced to ensure compliance with the relevant data protection requirements, and in particular in relation to certain categories of personal data of a more sensitive nature.
4.BUDGETARY IMPLICATIONS
This Regulation has no budgetary implications.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
The proposal includes a general plan for monitoring and evaluating the impact on the specific objectives, requiring the Commission to carry out a first review five years after the date of application of the Regulation (and every three years thereafter), and to report to the European Parliament and the Council on its main findings. The proposal for an AML/CFT Directive accompanying this present proposal has the same evaluation provisions, and the evaluation of the two instruments can be combined in one report. The review is to be conducted in line with the Commission’s Better Regulation Guidelines.
•Detailed explanation of the specific provisions of the proposal
Subject matter and scope, including list of Obliged Entities
While most definitions are carried over from the current EU AML/CFT legislation, a number of definitions are added, adapted or updated.
The range of entities defined as Obliged Entities under current EU AML/CFT legislation and thus subject to EU AML/CFT rules is amended in the following ways: the scope of crypto-asset service providers (CASPs) is aligned with that of the Financial Action Task Force and thus widened compared with the current Directive; crowdfunding service providers which fall outside the scope of Regulation (EU) 2020/1503 are added; creditors for mortgage and consumer credits as well as mortgage and consumer credit intermediaries that are not credit institutions or financial institutions are added to ensure a level playing field between operators providing the same kind of services; operators involved on behalf of third country nationals in the context of investor residence schemes are added; traders in goods are removed (hitherto, these had an obligation to report cash transactions of a value over EUR 10 000), except for dealers in precious metals and stones, who, given the exposure to money laundering and terrorist financing risks of the sector, should continue to apply AML/CFT requirements.
Internal policies controls and procedures
The requirement on obliged entities to have in place a policy to identify and assess the risks of money laundering and terrorist financing they are facing, with a risk-based approach, and to mitigate those risks builds on current EU AML/CFT legislation but provides more clarity on the requirements. Obliged entities must take all measures at the level of their management to implement internal policies, controls and procedures, including the appointment of a dedicated compliance manager, and ensure that responsible staff are appropriately trained. The requirement to allocate a member of the staff to the role of compliance officer and the tasks of such role are clarified. Clarifications are provided in relation to the requirements that apply to groups, to be further complemented by regulatory technical standards detailing minimum requirements, the role of parent entities that are not themselves obliged entities and the conditions under which other structures such as networks and partnerships should apply group-wide measures. The requirements applicable to groups with branches operating in third countries are maintained.
Customer due diligence
While most provisions on Customer Due Diligence (CDD) are carried over from existing EU AML/CFT legislation, a number of clarifications and additional details are laid down in this proposal regarding CDD. The fundamental objective of CDD is clarified as being to obtain sufficient knowledge of customers enabling obliged entities to determine the money laundering and terrorist financing risks of business relationships or occasional transactions and to decide the corresponding mitigating measures which they need to apply. More specific and detailed provisions are laid down on the identification of the customer and on the verification of the customer’s identity. The conditions for the use of electronic identification means as set out by Regulation (EU) No 910/2014 are clarified. AMLA is empowered and required to produce regulatory technical standards on the standard datasets for identifying natural and legal persons; these RTS will include specific simplified CDD measures that obliged entities may implement in case of lower risk situations identified in the Supranational Risk Assessment that the Commission is required to draw up. Rules on simplified and enhanced due diligence measures are detailed.
The policy regarding third countries is adapted. The Commission will identify third countries either taking into account the public identification by the relevant international standard-setter (the FATF) or on the basis of its own autonomous assessment. Third countries so identified by the Commission will be subjected to two different sets of consequences, proportionate to the risk they pose to the Union’s financial system: (i) third countries subject to all enhanced due diligence measures and to additional country-specific countermeasures; and (ii) third countries subject to country-specific enhanced due diligence measures. In principle, third countries “subject to a call for action” by the FATF will be identified by the Commission as high-risk third countries. Due to the persistent nature of the serious strategic deficiencies in their AML/CFT framework, all enhanced due diligence measures will apply to them as well as country-specific countermeasures to proportionately mitigate the threat. Third countries with compliance weaknesses in their AML/CFT regimes, defined as “subject to increased monitoring” by the FATF, will in principle be identified by the Commission and subject to country-specific enhanced due diligence measures, proportionate to the risks. The Commission may also identify third countries, which are not listed by the FATF, but which pose a specific threat to the Union’s financial system and which, on the basis of that threat, will be subject either to country-specific enhanced due diligence measures or, where appropriate, to all enhanced due diligence measures and to countermeasures. In assessing the level of threat stemming from those third countries, the Commission may build on the technical expertise of AMLA. Finally, AMLA will develop guidelines on money laundering and terrorist financing risks, trends and methods, which do not have a country-specific dimension, but rather stem from geographical areas outside the Union and advise obliged entities accordingly on the opportunity to implement measures to mitigate them. This revised approach to third countries aims at ensuring that external threats to the Union’s financial system and the proper functioning of the internal market are effectively mitigated, by implementing a harmonised approach at EU level and ensuring more granularity and proportionality in the definition of the consequences attached to the listing, on a risk-sensitive basis.
Politically Exposed Persons (PEPs)
The provisions on PEPs are based on the current AML/CFT legislation, with an obligation on Member States to draw up lists of functions which confer PEP status on their territory, and obligations on obliged entities to subject PEPs to enhanced CDD measures, on a risk-based approach. The requirements applicable to persons who no longer hold prominent public functions are laid down in legislation.
Reliance and outsourcing
Building on the current rules, the proposal clarifies the respective conditions for the resort to reliance on CDD already performed by other obliged entities and outsourcing of functions to other entities or service providers. The proposal maintains that in either situation the ultimate responsibility for conformity with the rules remains with the obliged entity. A risk-based approach must be applied and providers based in high-risk third countries, countries with compliance weaknesses as well as in any other country that poses a threat to the Union’s financial system must not be relied upon or outsourced functions to.
Beneficial ownership information
The provisions on beneficial ownership information in the proposal build on those in current EU AML/CFT legislation, including the concept of beneficial ownership and the requirement for all corporate and other legal entities to obtain and hold adequate, accurate and current beneficial ownership information. More detailed rules are provided to identify the beneficial owner(s) of corporate and other legal entities, and a harmonised approach to the identification of beneficial ownership is laid down. With regard to express trusts and similar legal entities or arrangements, provisions are provided to ensure the consistent identification of beneficial owners across Member States when similar situations are faced, including an empowerment for a Commission implementing act. The proposal includes disclosure requirements for nominee shareholders and nominee directors, and introduces the obligations to register their beneficial ownership in the Union for non-EU legal entities that either enter into a business relationship with an EU obliged entity or acquire real estate in the Union.
Reporting obligations
The provisions on reporting of suspicious transactions to FIUs (or to a self-regulatory body, if a Member State would provide for that) are based on those in current EU AML/CFT legislation. Clearer rules are provided on how transactions are to be identified. In order to facilitate obliged entities’ compliance with their reporting obligations and allow for a more effective functioning of the FIUs’ analytical activities and cooperation, AMLA will develop draft implementing technical standards specifying a common template for the reporting of suspicious transactions to be used as a uniform basis throughout the EU.
Data protection
The EU General Data Protection Regulation (Regulation (EU) 2016/679) applies to the processing of personal data for the purposes of this proposal. The proposal clarifies the conditions that apply to the processing of certain categories of personal data of a more sensitive nature by obliged entities. Obliged entities must retain records of certain personal data for five years.
Measures to mitigate the risks of misuse of bearer instruments
The proposal contains a provision preventing traders in goods or services from accepting cash payments of over EUR 10 000 for a single purchase, while allowing Member States to maintain in force lower ceilings for large cash transactions. This ceiling does not apply to private operations between individuals. The Commission must assess the benefits and impacts of further lowering of this threshold within three years of application of the proposed Regulation. The provision and custody of anonymous crypto-asset wallets are prohibited. Companies that are not listed are prohibited from issuing bearer shares and are required to register those shares. The issuance of bearer share warrants is only allowed in intermediated form.
Final provisions
Provisions for the adoption by the Commission of delegated acts under Article 290 of the Treaty are laid down. The Regulation will enter into force on the twentieth day after publication in the Official Journal and become applicable 3 years after its entry into force. The Commission must review and evaluate this Regulation within five years of its application and every three years thereafter.
2021/0239 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank,
Having regard to the opinion of the European Economic and Social Committee,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Directive (EU) 2015/849 of the European Parliament and of the Council constitutes the main legal instrument for the prevention of the use of the Union financial system for the purposes of money laundering and terrorist financing. That Directive sets out a comprehensive legal framework, which Directive (EU) 2018/843 of the European Parliament and the Council further strengthened by addressing emerging risks and increasing transparency of beneficial ownership. Notwithstanding its achievements, experience has shown that further improvements should be introduced to adequately mitigate risks and to effectively detect criminal attempts to misuse the Union financial system for criminal purposes.
(2)The main challenge identified in respect to the application of the provisions of Directive (EU) 2015/849 laying down obligations for private sector actors, the so-called obliged entities, is the lack of direct applicability of those rules and a fragmentation of the approach along national lines. Whereas those rules have existed and evolved over three decades, they are still implemented in a manner not fully consistent with the requirements of an integrated internal market. Therefore, it is necessary that rules on matters currently covered in Directive (EU) 2015/849 which may be directly applicable by the obliged entities concerned are addressed in a new Regulation in order to achieve the desired uniformity of application.
(3)This new instrument is part of a comprehensive package aiming at strengthening the Union’s AML/CFT framework. Together, this instrument, Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final], Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final] and Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final] will form the legal framework governing the AML/CFT requirements to be met by obliged entities and underpinning the Union’s AML/CFT institutional framework, including the establishment of an Authority for anti-money laundering and countering the financing of terrorism (‘AMLA’).
(4)Money laundering and terrorist financing are frequently carried out in an international context. Measures adopted at Union level, without taking into account international coordination and cooperation, would have very limited effect. The measures adopted by the Union in that field should therefore be compatible with, and at least as stringent as actions undertaken at international level. Union action should continue to take particular account of the Financial Action Task Force (FATF) Recommendations and instruments of other international bodies active in the fight against money laundering and terrorist financing. With a view to reinforcing the efficacy of the fight against money laundering and terrorist financing, the relevant Union legal acts should, where appropriate, be aligned with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by the FATF in February 2012 (the ‘revised FATF Recommendations’) and the subsequent amendments to such standards.
(5)Since the adoption of Directive (EU) 2015/849, recent developments in the Union’s criminal law framework have contributed to strengthening the prevention and fight against money laundering, its predicate offences and terrorist financing. Directive (EU) 2018/1673 of the European Parliament and of the Council has led to a common understanding of the money laundering crime and its predicate offences. Directive (EU) 2017/1371 of the European Parliament and of the Council defined financial crimes affecting the Union’s financial interest, which should also be considered predicate offences to money laundering. Directive (EU) 2017/541 of the European Parliament and of the Council has achieved a common understanding of the crime of terrorist financing. As those concepts are now clarified in Union criminal law, it is no longer needed for the Union’s AML/CFT rules to define money laundering, its predicate offences or terrorist financing. Instead, the Union’s AML/CFT framework should be fully coherent with the Union’s criminal law framework.
(6)Technology keeps evolving, offering opportunities to the private sector to develop new products and systems to exchange funds or value. While this is a positive phenomenon, it may generate new money laundering and terrorist financing risks, as criminals continuously manage to find ways to exploit vulnerabilities in order to hide and move illicit funds around the world. Crypto-assets service providers and crowdfunding platforms are exposed to the misuse of new channels for the movement of illicit money and are well placed to detect such movements and mitigate risks. The scope of Union legislation should therefore be expanded to cover these entities, in line with the recent developments in FATF standards in relation to crypto-assets.
(7)The institutions and persons covered by this Regulation play a crucial role as gatekeepers of the Union’s financial system and should therefore take all necessary measures necessary to implement the requirements of this Regulation with a view to preventing criminals from laundering the proceeds of their illegal activities or from financing terrorist activities. Measures should also be put in the place to mitigate any risk of non-implementation or evasion of targeted financial sanctions.
(8)Financial transactions can also take place within the same group as way of managing group finances. However, such transactions are not undertaken vis-à-vis customers and do not require the application of AML/CFT measures. In order to ensure legal certainty, it is necessary to recognise that this Regulation does not apply to financial activities or other financial services which are provided by members of a group to other members of that group.
(9)Independent legal professionals should be subject to this Regulation when participating in financial or corporate transactions, including when providing tax advice, where there is the risk of the services provided by those legal professionals being misused for the purpose of laundering the proceeds of criminal activity or for the purpose of terrorist financing. There should, however, be exemptions from any obligation to report information obtained before, during or after judicial proceedings, or in the course of ascertaining the legal position of a client, which should be covered by the legal privilege. Therefore, legal advice should remain subject to the obligation of professional secrecy, except where the legal professional is taking part in money laundering or terrorist financing, the legal advice is provided for the purposes of money laundering or terrorist financing, or where the legal professional knows that the client is seeking legal advice for the purposes of money laundering or terrorist financing.
(10)In order to ensure respect for the rights guaranteed by the Charter of Fundamental Rights of the European Union (the ‘Charter’), in the case of auditors, external accountants and tax advisors, who, in some Member States, are entitled to defend or represent a client in the context of judicial proceedings or to ascertain a client's legal position, the information they obtain in the performance of those tasks should not be subject to reporting obligations.
(11)Directive (EU) 2018/843 was the first legal instrument to address the risks of money laundering and terrorist financing posed by crypto-assets in the Union. It extended the scope of the AML/CFT framework to two types of crypto-assets services providers: providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers. Due to rapid technological developments and the advancement in FATF standards, it is necessary to review this approach. A first step to complete and update the Union legal framework has been achieved with Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final], which set requirements for crypto-asset service providers wishing to apply for an authorisation to provide their services in the single market. It also introduced a definition of crypto-assets and crypto-assets services providers encompassing a broader range of activities. Crypto-asset service providers covered by Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final] should also be covered by this Regulation, to mitigate any risk of misuse of crypto-assets for money laundering or terrorist financing purposes.
(12)Crowdfunding platforms’ vulnerabilities to money laundering and terrorist financing risks are horizontal and affect the internal market as a whole. To date, diverging approaches have emerged across Member States as to the management of those risks. Regulation (EU) 2020/1503 of the European Parliament and of the Council harmonises the regulatory approach for business investment and lending-based crowdfunding platforms across the Union and ensures that adequate and coherent safeguards are in place to deal with potential money laundering and terrorist financing risks. Among those, there are requirements for the management of funds and payments in relation to all the financial transactions executed on those platforms. Crowdfunding service providers must either seek a license or partner with a payment service provider or a credit institution for the execution of such transactions. The Regulation also sets out safeguards in the authorisation procedure, in the assessment of good repute of management and through due diligence procedures for project owners. The Commission is required to assess by 10 November 2023 in its report on that Regulation whether further safeguards may be necessary. It is therefore justified not to subject crowdfunding platforms licensed under Regulation (EU) 2020/1503 to Union AML/CFT legislation.
(13)Crowdfunding platforms that are not licensed under Regulation (EU) 2020/1503 are currently left either unregulated or to diverging regulatory approaches, including in relation to rules and procedures to tackle anti-money laundering and terrorist financing risks. To bring consistency and ensure that there are no uncontrolled risks in that environment, it is necessary that all crowdfunding platforms that are not licensed under Regulation (EU) 2020/1503 and thus are not subject to its safeguards are subject to Union AML/CFT rules in order to mitigate money laundering and terrorist financing risks.
(14)Directive (EU) 2015/849 set out to mitigate the money laundering and terrorist financing risks posed by large cash payments by including persons trading in goods among obliged entities when they make or receive payments in cash above EUR 10 000, whilst allowing Member States to introduce stricter measures. Such approach has shown to be ineffective in light of the poor understanding and application of AML/CFT requirements, lack of supervision and limited number of suspicious transactions reported to the FIU. In order to adequately mitigate risks deriving from the misuse of large cash sums, a Union-wide limit to large cash transactions above EUR 10 000 should be laid down. As a consequence, persons trading in goods should no longer be subject to AML/CFT obligations.
(15)Some categories of traders in goods are particularly exposed to money laundering and terrorist financing risks due to the high value that the small, transportable goods they deal with contain. For this reason, persons dealing in precious metals and precious stones should be subject to AML/CFT requirements.
(16)Investment migration operators are private companies, bodies or persons acting or interacting directly with the competent authorities of the Member States on behalf of third-country nationals or providing intermediary services to third-country nationals seeking to obtain residence rights in a Member State in exchange of any kind of investments, including capital transfers, purchase or renting of property, investment in government bonds, investment in corporate entities, donation or endowment of an activity contributing to the public good and contributions to the state budget. Investor residence schemes present risks and vulnerabilities in relation to money laundering, corruption and tax evasion. Such risks are exacerbated by the cross-border rights associated with residence in a Member State. Therefore, it is necessary that investment migration operators are subject to AML/CFT obligations. This Regulation should not apply to investor citizenship schemes, which result in the acquisition of nationality in exchange for such investments, as such schemes must be considered as undermining the fundamental status of Union citizenship and sincere cooperation among Member States.
(17)Consumer and mortgage creditors and intermediaries that are not credit institutions or financial institutions have not been subject to AML/CFT requirements at Union level, but have been subject to such obligations in certain Member States due to their exposure to money laundering and terrorist financing risks. Depending on their business model, such consumer and mortgage creditors and intermediaries may be exposed to significant money laundering and terrorist financing risks. It is important to ensure that entities carrying out similar activities that are exposed to such risks are covered by AML/CFT requirements, regardless of whether they qualify as credit institutions or financial institutions. Therefore, it is appropriate to include consumer and mortgage creditors and intermediaries that are not credit institutions or financial institutions but that are, as a result of their activities, exposed to money laundering and terrorist financing risks.
(18)To ensure a consistent approach, it is necessary to clarify which entities in the investment sector are subject to AML/CFT requirements. Although collective investment undertakings already fell within the scope of Directive (EU) 2015/849, it is necessary to align the relevant terminology with the current Union investment fund legislation, namely Directive 2009/65/EC of the European Parliament and of the Council and Directive 2011/61/EU of the European Parliament and of the Council. Because funds might be constituted without legal personality, the inclusion of their managers in the scope of this Regulation is also necessary. AML/CFT requirements should apply regardless of the form in which units or shares in a fund are made available for purchase in the Union, including where units or shares are directly or indirectly offered to investors established in the Union or placed with such investors at the initiative of the manager or on behalf of the manager.
(19)It is important that AML/CFT requirements apply in a proportionate manner and that the imposition of any requirement is proportionate to the role that obliged entities can play in the prevention of money laundering and terrorist financing. To this end, it should be possible for Member States in line with the risk base approach of this Regulation to exempt certain operators from AML/CFT requirements, where the activities they perform present low money laundering and terrorist financing risks and where the activities are limited in nature. To ensure transparent and consistent application of such exemptions across the Union, a mechanism should be put in place allowing the Commission to verify the necessity of the exemptions to be granted. The Commission should also publish such exemptions on a yearly basis in the Official Journal of the European Union.
(20)A consistent set of rules on internal systems and controls that applies to all obliged entities operating in the internal market will strengthen AML/CFT compliance and make supervision more effective. In order to ensure adequate mitigation of money laundering and terrorist financing risks, obliged entities should have in place an internal control framework consisting of risk–based policies, controls and procedures and clear division of responsibilities throughout the organisation. In line with the risk-based approach of this Regulation, those policies, controls and procedures should be proportionate to the nature and size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces.
(21)An appropriate risk-based approach requires obliged entities to identify the inherent risks of money laundering and terrorist financing that they face by virtue of their business in order to mitigate them effectively and to ensure that their policies, procedures and internal controls are appropriate to address those inherent risks. In doing so, obliged entities should take into account the characteristics of their customers, the products, services or transactions offered, the countries or geographical areas concerned and the distribution channels used. In light of the evolving nature of risks, such risk assessment should be regularly updated.
(22)It is appropriate to take account of the characteristics and needs of smaller obliged entities, and to ensure treatment which is appropriate to their specific needs, and the nature of the business. This may include exempting certain obliged entities from performing a risk assessment where the risks involved in the sector in which the entity operates are well understood.
(23)The FATF has developed standards for jurisdictions to identify, and assess the risks of potential non-implementation or evasion of the targeted financial sanctions related to proliferation financing, and to take action to mitigate those risks. Those new standards introduced by the FATF today do not substitute nor undermine the existing strict requirements for countries to implement targeted financial sanctions to comply with the relevant United Nations Security Council Regulations relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing. Those existing obligations, as implemented at Union level by Council Decisions 2010/413/CFSP and (CFSP) 2016/849 as well as by Council Regulations (EU) No 267/2012 and (EU) 2017/1509, remain strict rule-based obligations binding on all natural and legal persons within the Union.
(24)In order to reflect the latest developments at international level, a requirement has been introduced by this Regulation to identify, understand, manage and mitigate risks of potential non-implementation or evasion of proliferation financing-related targeted financial sanctions at obliged entity level.
(25)It is important that obliged entities take all measures at the level of their management to implement internal policies, controls and procedures and to implement AML/CFT requirements. While a person at management level should be identified as being responsible for implementing the obliged entity’s policies, controls and procedures, the responsibility for the compliance with AML/CFT requirements should rest ultimately with the governing body of the entity. Tasks pertaining to the day-to-day implementation of the obliged entity’s AML/CFT policies, controls and procedures should be entrusted to a compliance officer.
(26)For effective implementation of AML/CFT measures, it is also vital that the employees of obliged entities, as well as their agents and distributors, who have a role in their implementation understand the requirements and the internal policies, controls and procedures in place in the entity. Obliged entities should put in place measures, including training programmes, to this effect.
(27)Individuals entrusted with tasks related to an obliged entity’s compliance with AML/CFT requirements should undergo assessment of their skills, knowledge, expertise, integrity and conduct. Performance by employees of tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to customers with whom they have a close private or professional relationship can lead to conflicts of interests and undermine the integrity of the system. Therefore, employees in such situations should be prevented from performing any tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to such customers.
(28)The consistent implementation of group-wide AML/CFT policies and procedures is key to the robust and effective management of money laundering and terrorist financing risks within the group. To this end, group-wide policies, controls and procedures should be adopted and implemented by the parent undertaking. Obliged entities within the group should be required to exchange information when such sharing is relevant for preventing money laundering and terrorist financing. Information sharing should be subject to sufficient guarantees in terms of confidentiality, data protection and use of information. AMLA should have the task of drawing up draft regulatory standards specifying the minimum requirements of group-wide procedures and policies, including minimum standards for information sharing within the group and the role and responsibilities of parent undertakings that are not themselves obliged entities.
(29)In addition to groups, other structures exist, such as networks or partnerships, in which obliged entities might share common ownership, management and compliance controls. To ensure a level playing field across the sectors whilst avoiding overburdening it, AMLA should identify those situations where similar group-wide policies should apply to those structures.
(30)There are circumstances where branches and subsidiaries of obliged entities are located in third countries where the minimum AML/CFT requirements, including data protection obligations, are less strict than the Union AML/CFT framework. In such situations, and in order to fully prevent the use of the Union financial system for the purposes of money laundering and terrorist financing and to ensure the highest standard of protection for personal data of Union citizens, those branches and subsidiaries should comply with AML/CFT requirements laid down at Union level. Where the law of a third country does not permit compliance with those requirements, for example because of limitations to the group's ability to access, process or exchange information due to an insufficient level of data protection or banking secrecy law in the third country, obliged entities should take additional measures to ensure the branches and subsidiaries located in that country effectively handle the risks. AMLA should be tasked with developing draft technical standards specifying the type of such additional measures.
(31)Customer due diligence requirements are essential to ensure that obliged entities identify, verify and monitor their business relationships with their clients, in relation to the money laundering and terrorist financing risks that they pose. Accurate identification and verification of data of prospective and existing customers are essential for understanding the risks of money laundering and terrorist financing associated with clients, whether they are natural or legal persons.
(32)It is necessary to achieve a uniform and high standard of customer due diligence in the Union, relying on harmonised requirements for the identification of customers and verification of their identity, and reducing national divergences to allow for a level playing field across the internal market and for a consistent application of provisions throughout the Union. At the same time, it is essential that obliged entities apply customer due diligence requirements in a risk-based manner. The risk-based approach is not an unduly permissive option for obliged entities. It involves the use of evidence-based decision-making in order to target more effectively the risks of money laundering and terrorist financing facing the Union and those operating within it.
(33)Obliged entities should not be required to apply due diligence measures on customers carrying out occasional or linked transactions below a certain value, unless there is suspicion of money laundering or terrorist financing. Whereas the EUR 10 000 threshold applies to most occasional transactions, obliged entities which operate in sectors or carry out transactions that present a higher risk of money laundering and terrorist financing should be required to apply customer due diligence for transactions with lower thresholds. To identify the sectors or transactions as well as the adequate thresholds for those sectors or transactions, AMLA should develop dedicated draft regulatory technical standards.
(34)Some business models are based on the obliged entity having a business relationship with a merchant for offering payment initiation services through which the merchant gets paid for the provision of goods or services, and not with the merchant’s customer, who authorises the payment initiation service to initiate a single or one-off transaction to the merchant. In such a business model, the obliged entity’s customer for the purpose of AML/CFT rules is the merchant, and not the merchant’s customer. Therefore, customer due diligence obligations should be applied by the obliged entity vis-a-vis the merchant.
(35)Directive (EU) 2015/849, despite having harmonised the rules of Member States in the area of customer identification obligations to a certain degree, did not lay down detailed rules in relation to the procedures to be followed by obliged entities. In view of the crucial importance of this aspect in the prevention of money laundering and terrorist financing, it is appropriate, in accordance with the risk-based approach, to introduce more specific and detailed provisions on the identification of the customer and on the verification of the customer’s identity, whether in relation to natural or legal persons, legal arrangements such as trusts or entities having legal capacity under national law.
(36)Technological developments and progress in digitalisation enable a secure remote or electronic identification and verification of prospective and existing customers and can facilitate the remote performance of customer due diligence. The identification solutions as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council and the proposal for an amendment to it in relation to a framework for a European Digital Identity enable secure and trusted means of customer identification and verification for both prospective and existing customers and can facilitate the remote performance of customer due diligence. The electronic identification as set out in that Regulation should be taken into account and accepted by obliged entities for the customer identification process. These means of identification may present, where appropriate risk mitigation measures are in place, a standard or even low level of risk.
(37)To ensure that the AML/CFT framework prevents illicit funds from entering the financial system, obliged entities should carry out customer due diligence before entering into business relationships with prospective clients, in line with the risk-based approach. Nevertheless, in order not to unnecessarily delay the normal conduct of business, obliged entities may collect the information from the prospective customer during the establishment of a business relationship. Credit and financial institutions may obtain the necessary information from the prospective customers once the relationship is established, provided that transactions are not initiated until the customer due diligence process is successfully completed.
(38)Depositors whose funds are the proceeds of money laundering should be excluded from repayment by a deposit guarantee scheme. To prevent that illicit funds are reimbursed to such depositors, credit institutions should, under the oversight of the supervisors, perform customer due diligence of their clients where the credit institutions have been determined failing or likely to fail, or when deposits are defined as unavailable. Credit institutions should report any suspicious transactions identified in the performance of such customer due diligence to the FIU.
(39)The customer due diligence process is not limited to the identification and verification of the customer’s identity. Before entering into business relationships or carrying out occasional transactions, obliged entities should also assess the purpose and nature of a business relationship. Pre-contractual or other information about the proposed product or service that is communicated to the prospective customer may contribute to the understanding of that purpose. Obliged entities should always be able to assess the purpose and nature of a prospective business relationship in an unambiguous manner. Where the offered service or product enables customers to carry out various types of transactions or activities, obliged entities should obtain sufficient information on the intention of the customer regarding the use to be made of that relationship.
(40)To ensure the effectiveness of the AML/CFT framework, obliged entities should regularly review the information obtained from their customers, in accordance with the risk-based approach. Obliged entities should also set up a monitoring system to detect atypical transactions that might raise money laundering or terrorist financing suspicions. To ensure the effectiveness of the transaction monitoring, obliged entities’ monitoring activity should in principle cover all services and products offered to customers and all transactions which are carried out on behalf of the costumer or offered to the customer by the obliged entity. However, not all transactions need to be scrutinised individually. The intensity of the monitoring should respect the risk-based approach and be designed around precise and relevant criteria, taking account, in particular, of the characteristics of the customers and the risk level associated with them, the products and services offered, and the countries or geographical areas concerned. AMLA should develop guidelines to ensure that the intensity of the monitoring of business relationships and of transactions is adequate and proportionate to the level of risk.
(41)In order to ensure consistent application of this Regulation, AMLA should have the task of drawing up draft regulatory technical standards on customer due diligence. Those regulatory technical standards should set out the minimum set of information to be obtained by obliged entities in order to enter into new business relationships with customers or assess ongoing ones, according to the level of risk associated with each customer. Furthermore, the draft regulatory technical standards should provide sufficient clarity to allow market players to develop secure, accessible and innovative means of verifying customers’ identity and performing customer due diligence, also remotely, while respecting the principle of technology neutrality. The Commission should be empowered to adopt those draft regulatory technical standards. Those specific tasks are in line with the role and responsibilities of AMLA as provided in Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
(42)The harmonisation of customer due diligence measures should not only seek to achieve consistent, and consistently effective, understanding of the risks associated with an existing or prospective customer regardless of where the business relationship is opened in the Union, and their harmonisation will help to achieve this aim. It should also ensure that the information obtained in the performance of customer due diligence is not used by obliged entities to pursue de-risking practices which may result in circumventing other legal obligations, in particular those laid down in Directive 2014/92 of the European Parliament and of the Council or Directive 2015/2366 of the European Parliament and of the Council, without achieving the Union’s objectives in the prevention of money laundering and terrorist financing. To enable the proper supervision of compliance with the customer due diligence obligations, it is important that obliged entities keep record of the actions undertaken and the information obtained during the customer due diligence process, irrespective of whether a new business relationship is established with them and of whether they have submitted a suspicious transaction report upon refusing to establish a business relationship. Where the obliged entity takes a decision to not enter into a business relationship with a prospective customer, the customer due diligence records should include the grounds for such a decision. This will enable supervisory authorities to assess whether obliged entities have appropriately calibrated their customer due diligence practices and how the entity’s risk exposure evolves, as well as help building statistical evidence on the application of customer due diligence rules by obliged entities throughout the Union.
(43)The approach for the review of existing customers in the current AML/CFT framework is already risk-based. However, given the higher risk of money laundering, its predicate offences and terrorist financing associated with certain intermediary structures, that approach might not allow for the timely detection and assessment of risks. It is therefore important to ensure that clearly specified categories of existing customers are also monitored on a regular basis.
(44)Risk itself is variable in nature, and the variables, on their own or in combination, may increase or decrease the potential risk posed, thus having an impact on the appropriate level of preventive measures, such as customer due diligence measures.
(45)In low risk situations, obliged entities should be able to apply simplified customer due diligence measures. This does not equate to an exemption or absence of customer due diligence measures. It rather consists in a simplified or reduced set of scrutiny measures, which should however address all components of the standard customer due diligence procedure. In line with the risk-based approach, obliged entities should nevertheless be able to reduce the frequency or intensity of their customer or transaction scrutiny, or rely on adequate assumptions with regard to the purpose of the business relationship or use of simple products. The regulatory technical standards on customer due diligence should set out the specific simplified measures that obliged entities may implement in case of lower risk situations identified in the Supranational Risk Assessment of the Commission. When developing draft regulatory technical standards, AMLA should have due regard to preserving social and financial inclusion.
(46)It should be recognised that certain situations present a greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established with the regular application of customer due diligence requirements, there are cases in which particularly rigorous customer identification and verification procedures are required. Therefore, it is necessary to lay down detailed rules on such enhanced due diligence measures, including specific enhanced due diligence measures for cross-border correspondent relationships.
(47)Cross-border correspondent relationships with a third-country’s respondent institution are characterised by their on-going, repetitive nature. Moreover, not all cross-border correspondent banking services present the same level of money laundering and terrorist financing risks. Therefore, the intensity of the enhanced due diligence measures should be determined by application of the principles of the risk based approach. However, the risk based approach should not be applied when interacting with third-country’s respondent institutions that have no physical presence where they are incorporated. Given the high risk of money laundering and terrorist financing inherent in shell banks, credit institutions and financial institutions should refrain from entertaining any correspondent relationship with such shell banks.
(48)In the context of enhanced due diligence measures, obtaining approval from senior management for establishing business relationships does not need to imply, in all cases, obtaining approval from the board of directors. It should be possible for such approval to be granted by someone with sufficient knowledge of the entity's money laundering and terrorist financing risk exposure and of sufficient seniority to take decisions affecting its risk exposure.
(49)In order to protect the proper functioning of the Union financial system from money laundering and terrorist financing, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission to identify third countries, whose shortcomings in their national AML/CFT regimes represent a threat to the integrity of the Union’s internal market. The changing nature of money laundering and terrorist financing threats from outside the Union, facilitated by a constant evolution of technology and of the means at the disposal of criminals, requires that quick and continuous adaptations of the legal framework as regards third countries be made in order to address efficiently existing risks and prevent new ones from arising. The Commission should take into account information from international organisations and standard setters in the field of AML/CFT, such as FATF public statements, mutual evaluation or detailed assessment reports or published follow-up reports, and adapt its assessments to the changes therein, where appropriate.
(50)Third countries “subject to a call for action” by the relevant international standard-setter (the FATF) present significant strategic deficiencies of a persistent nature in their legal and institutional AML/CFT frameworks and their implementation which are likely to pose a high risk to the Union’s financial system. The persistent nature of the significant strategic deficiencies, reflective of the lack of commitment or continued failure by the third country to tackle them, signal a heightened level of threat emanating from those third countries, which requires an effective, consistent and harmonised mitigating response at Union level. Therefore, obliged entities should be required to apply the whole set of available enhanced due diligence measures to occasional transactions and business relationships involving those high-risk third countries to manage and mitigate the underlying risks. Furthermore, the high level of risk justifies the application of additional specific countermeasures, whether at the level of obliged entities or by the Member States. Such approach would avoid divergence in the determination of the relevant countermeasures, which would expose the entirety of Union’s financial system to risks. Given its technical expertise, AMLA can provide useful input to the Commission in identifying the appropriate countermeasures.
(51)Compliance weaknesses in both the legal and institutional AML/CFT framework and its implementation of third countries which are subject to “increased monitoring” by the FATF are susceptible to be exploited by criminals. This is likely to represent a risk for the Union’s financial system, which needs to be managed and mitigated. The commitment of these third countries to address identified weaknesses, while not eliminating the risk, justifies a mitigating response, which is less severe than the one applicable to high-risk third countries. In these cases, Union’s obliged entities should apply enhanced due diligence measures to occasional transactions and business relationships when dealing with natural persons or legal entities established in those third countries that are tailored to the specific weaknesses identified in each third country. Such granular identification of the enhanced due diligence measures to be applied would, in line with the risk-based approach, also ensure that the measures are proportionate to the level of risk. To ensure such consistent and proportionate approach, the Commission should be able to identify which specific enhanced due diligence measures are required in order to mitigate country-specific risks. Given AMLA’s technical expertise, it can provide useful input to the Commission to identify the appropriate enhanced due diligence measures.
(52)Countries that are not publicly identified as subject to calls for actions or increased monitoring by international standard setters might still pose a threat to the integrity of the Union’s financial system. To mitigate those risks, it should be possible for the Commission to take action by identifying, based on a clear set of criteria and with the support of AMLA, third countries posing a specific and serious threat to the Union’s financial system, which may be due to either compliance weaknesses or significant strategic deficiencies of a persistent nature in their AML/CFT regime, and the relevant mitigating measures. Those third countries should be identified by the Commission. According to the level of risk posed to the Union’s financial system, the Commission should require the application of either all enhanced due diligence measures and country-specific countermeasures, as it is the case for high-risk third countries, or country-specific enhanced customer due diligence, such as in the case of third countries with compliance weaknesses.
(53)Considering that there may be changes in the AML/CFT frameworks of those third countries or in their implementation, for example as result of the country’s commitment to address the identified weaknesses or of the adoption of relevant AML/CFT measures to tackle them, which could change the nature and level of the risks emanating from them, the Commission should regularly review the identification of those specific enhanced due diligence measures in order to ensure that they remain proportionate and adequate.
(54)Potential external threats to the Union’s financial system do not only emanate from third countries, but can also emerge in relation to specific customer risk factors or products, services, transactions or delivery channels which are observed in relation to a specific geographical area outside the Union. There is therefore a need to identify money laundering and terrorist financing trends, risks and methods to which Union’s obliged entities may be exposed. AMLA is best placed to detect any emerging ML/TF typologies from outside the Union, to monitor their evolution with a view to providing guidance to the Union’s obliged entities on the need to apply enhanced due diligence measures aimed at mitigating such risks.
(55)Relationships with individuals who hold or who have held important public functions, within the Union or internationally, and particularly individuals from countries where corruption is widespread, may expose the financial sector to significant reputational and legal risks. The international effort to combat corruption also justifies the need to pay particular attention to such persons and to apply appropriate enhanced customer due diligence measures with respect to persons who are or who have been entrusted with prominent public functions and with respect to senior figures in international organisations. Therefore, it is necessary to specify measures which obliged entities should apply with respect to transactions or business relationships with politically exposed persons. To facilitate the risk-based approach, AMLA should be tasked with issuing guidelines on assessing the level of risks associated with a particular category of politically exposed persons, their family members or persons known to be close associates.
(56)In order to identify politically exposed persons in the Union, lists should be issued by Member States indicating the specific functions which, in accordance with national laws, regulations and administrative provisions, qualify as prominent public functions. Member States should request each international organisation accredited on their territories to issue and keep up to date a list of prominent public functions at that international organisation. The Commission should be tasked with compiling and issuing a list, which should be valid across the Union, as regards persons entrusted with prominent public functions in Union institutions or bodies.
(57)When customers are no longer entrusted with a prominent public function, they can still pose a higher risk, for example because of the informal influence they could still exercise, or because their previous and current functions are linked. It is essential that obliged entities take into consideration those continuing risks and apply one or more enhanced due diligence measures until such time that the individuals are deemed to pose no further risk, and in any case for not less than 12 months following the time when they are no longer entrusted with a prominent public function.
(58)Insurance companies often do not have client relationships with beneficiaries of the insurance policies. However, they should be able to identify higher risk situations, such as when the proceeds of the policy benefit a politically exposed person. To determine whether this is the case, the insurance policy should include reasonable measures to identify the beneficiary, as if this person were a new client. Such measures can be taken at the time of the payout or at the time of the assignment of the policy, but not later.
(59)Close private and professional relationships can be abused for money laundering and terrorist financing purposes. For that reason, measures concerning politically exposed persons should also apply to their family members and persons known to be close associates. Properly identifying family members and persons known to be close associates may depend on the socio-economic and cultural structure of the country of the politically exposed person. Against this background, AMLA should have the task of issuing guidelines on the criteria to use to identify persons who should be considered as close associate.
(60)The requirements relating to politically exposed persons, their family members and close associates, are of a preventive and not criminal nature, and should not be interpreted as stigmatising politically exposed persons as being involved in criminal activity. Refusing a business relationship with a person simply on the basis of a determination that they are a politically exposed person is contrary to the letter and spirit of this Regulation.
(61)In order to avoid repeated customer identification procedures, it is appropriate, subject to suitable safeguards, to allow obliged entities to rely on the customer information collected by other obliged entities. Where an obliged entity relies on another obliged entity, the ultimate responsibility for customer due diligence should remain with the obliged entity which chooses to rely on the customer due diligence performed by another obliged entity. The obliged entity relied upon should also retain its own responsibility for compliance with AML/CFT requirements, including the requirement to report suspicious transactions and retain records.
(62)Obliged entities may outsource tasks relating to the performance of customer due diligence to an agent or external service provider, unless they are established in third countries that are designated as high-risk, as having compliance weaknesses or as posing a threat to the Union’s financial system. In the case of agency or outsourcing relationships on a contractual basis between obliged entities and external service providers not covered by AML/CFT requirements, any AML/CFT obligations upon those agents or outsourcing service providers could arise only from the contract between the parties and not from this Regulation. Therefore, the responsibility for complying with AML/CFT requirements should remain entirely with the obliged entity itself. The obliged entity should in particular ensure that, where an outsourced service provider is involved for the purposes of remote customer identification, the risk-based approach is respected.
(63)In order for third party reliance and outsourcing relationships to function efficiently, further clarity is needed around the conditions according to which reliance takes place. AMLA should have the task of developing guidelines on the conditions under which third-party reliance and outsourcing can take place, as well as the roles and responsibilities of the respective parties. To ensure that consistent oversight of reliance and outsourcing practices is ensured throughout the Union, the guidelines should also provide clarity on how supervisors should take into account such practices and verify compliance with AML/CFT requirements when obliged entities resort to those practices.
(64)The concept of beneficial ownership was introduced by Directive (EU) 2015/849 to increase transparency of complex corporate structures. The need to access accurate, up-to-date and adequate information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind such opaque structures. Member States are currently required to ensure that both corporate and other legal entities as well as express trusts and other similar legal arrangements obtain and hold adequate, accurate and current information on their beneficial ownership. However, the degree of transparency imposed by Member States varies. The rules are subject to divergent interpretations, and this results in different methods to identify beneficial owners of a given entity or arrangement. This is due, inter alia, to inconsistent ways of calculating indirect ownership of an entity or arrangement. This hampers the transparency that was intended to be achieved. It is therefore necessary to clarify the rules to achieve a consistent definition of beneficial owner and its application across the internal market.
(65)Detailed rules should be laid down to identify the beneficial owners of corporate and other legal entities and to harmonise definitions of beneficial ownership. While a specified percentage shareholding or ownership interest does not automatically determine the beneficial owners, it should be one factor among others to be taken into account. Member States should be able, however, to decide that a percentage lower than 25% may be an indication of ownership or control. Control through ownership interest of 25% plus one of the shares or voting rights or other ownership interest should be assessed on every level of ownership, meaning that this threshold should apply to every link in the ownership structure and that every link in the ownership structure and the combination of them should be properly examined.
(66)A meaningful identification of the beneficial owners requires a determination of whether control is exercised via other means. The determination of control through an ownership interest is necessary but not sufficient and it does not exhaust the necessary checks to determine the beneficial owners. The test on whether any natural person exercises control via other means is not a subsequent test to be performed only when it is not possible to determine an ownership interest. The two tests, namely that of control through an ownership interest and that of control via other means, should be performed in parallel. Control through other means may include the right to appoint or remove more than half of the members of the board of the corporate entity; the ability to exert a significant influence on the decisions taken by the corporate entity; control through formal or informal agreements with owners, members or the corporate entities, as well as voting arrangements; links with family members of managers or directors or those owning or controlling the corporate entity; use of formal or informal nominee arrangements.
(67)In order to ensure effective transparency, the widest possible range of legal entities and arrangements incorporated or created in the territory of Member States should be covered by beneficial ownership rules. This includes legal entities other than corporate ones and arrangements similar to trusts. Due to differences in the legal systems of Member States, those broad categories encompass a variety of different organisational structures. Member States should notify to the Commission a list of the types of corporate and other legal entities where the beneficial owners is identified in line with the rules for the identification of beneficial owners for corporate entities. The Commission should make recommendations to Member States on the specific rules and criteria to identify the beneficial owners of legal entities other than corporate entities.
(68)To ensure the consistent identification of beneficial owners of express trusts and similar legal entities, such as foundations, or arrangements, it is necessary to lay down harmonised beneficial ownership rules. Member States are required to notify to the Commission a list of the types of legal entities and legal arrangements similar to express trusts where the beneficial owners is identified according to the identification of beneficial owners for express trusts and similar legal entities or arrangements. The Commission should be empowered to adopt, by means of an implementing act, a list of legal arrangements and legal entities governed by national law of Member States, which have a structure or function similar to express trusts.
(69)A consistent approach to the beneficial ownership transparency regime also requires ensuring that the same information is collected on beneficial owners across the internal market. It is appropriate to introduce precise requirements concerning the information that should be collected in each case. That information includes a minimum set of personal data of the beneficial owner, the nature and extent of the beneficial interest held in the legal entity or legal arrangement and information on the legal entity or legal arrangement.
(70)Underpinning an effective framework on beneficial ownership transparency is the knowledge by corporate and other legal entities of the natural persons who are their beneficial owners. Thus, all corporate and other legal entities in the Union should obtain and hold adequate, accurate and current beneficial ownership information. That information should be retained for five years and the identity of the person responsible for retaining the information should be reported to the registers. That retention period is equivalent to the period for retention of the information obtained within the application of AML/CFT requirements, such as customer due diligence measures. In order to ensure the possibility to cross-check and verify information, for instance through the mechanism of discrepancy reporting, it is justified to ensure that the relevant data retention periods are aligned.
(71)Corporate and other legal entities should take all necessary measures to identify their beneficial owners. There may however be cases where no natural person is identifiable who ultimately owns or exerts control over an entity. In such exceptional cases, provided that all means of identification are exhausted, the senior managing officials can be reported when providing beneficial ownership information to obliged entities in the course of the customer due diligence process or when submitting the information to the central register. Corporate and legal entities should keep records of the actions taken in order to identify their beneficial owners, especially when they rely on this last resort measure, which should be duly justified and documented.
(72)There is a need to ensure a level playing field among the different types of legal forms and to avoid the misuse of trusts and legal arrangements, which are often layered in complex structures to further obscure beneficial ownership. Trustees of any express trust administered in a Member State should thus be responsible for obtaining and holding adequate, accurate and current beneficial ownership information regarding the trust, and for disclosing their status and providing this information to obliged entities carrying out costumer due diligence. Any other beneficial owner of the trust should assist the trustee in obtaining such information.
(73)In view of the specific structure of certain legal entities such as foundations, and the need to ensure sufficient transparency about their beneficial ownership, such entities and legal arrangements similar to trusts should be subject to equivalent beneficial ownership requirements as those that apply to express trusts.
(74)Nominee arrangements may allow the concealment of the identity of the beneficial owners, because a nominee might act as the director or shareholder of a legal entity while the nominator is not always disclosed. Those arrangements might obscure the beneficial ownership and control structure, when beneficial owners do not wish to disclose their identity or role within them. There is thus a need to introduce transparency requirements in order to avoid that these arrangements are misused and to prevent criminals from hiding behind persons acting on their behalf. Nominee shareholders and nominee directors of corporate or other legal entities should maintain sufficient information on the identity of their nominator as well as of any beneficial owner of the nominator and disclose them as well as their status to the corporate or other legal entities. The same information should also be reported by corporate and other legal entities to obliged entities, when customer due diligence measures are performed.
(75)The risks posed by foreign corporate entities and legal arrangements, which are misused to channel proceeds of funds into the Union’s financial system, need to be mitigated. Since beneficial ownership standards in place in third countries might not be sufficient to allow for the same level of transparency and timely availability of beneficial ownership information as in the Union, there is a need to ensure adequate means to identify the beneficial owners of foreign corporate entities or legal arrangements in specific circumstances. Therefore, legal entities incorporated outside the Union and express trusts or similar legal arrangements administered outside the Union should be required to disclose their beneficial owners whenever they operate in the Union by entering into a business relationship with a Union’s obliged entity or by acquiring real estate in the Union.
(76)In order to encourage compliance and ensure an effective beneficial ownership transparency, beneficial ownership requirements need to be enforced. To this end, Member States should apply sanctions for breaches of those requirements. Those sanctions should be effective, proportionate and dissuasive, and should not go beyond what is required to encourage compliance. Sanctions introduced by Member States should have an equivalent deterrent effect across the Union on the breaches of beneficial ownership requirements.
(77)Suspicious transactions, including attempted transactions, and other information relevant to money laundering, its predicate offences and terrorist financing, should be reported to the FIU, which should serve as a single central national unit for receiving and, analysing reported suspicions and for disseminating to the competent authorities the results of its analyses. All suspicious transactions, including attempted transactions, should be reported, regardless of the amount of the transaction. Reported information may also include threshold-based information. The disclosure of information to the FIU in good faith by an obliged entity or by an employee or director of such an entity should not constitute a breach of any restriction on disclosure of information and should not involve the obliged entity or its directors or employees in liability of any kind.
(78)Differences in suspicious transaction reporting obligations between Member States may exacerbate the difficulties in AML/CFT compliance experienced by obliged entities that have a cross-border presence or operations. Moreover, the structure and content of the suspicious transaction reports have an impact on the FIU’s capacity to carry out analysis and on the nature of that analysis, and also affects FIUs’ abilities to cooperate and to exchange information. In order to facilitate obliged entities’ compliance with their reporting obligations and allow for a more effective functioning of FIUs’ analytical activities and cooperation, AMLA should develop draft regulatory standards specifying a common template for the reporting of suspicious transactions to be used as a uniform basis throughout the Union.
(79)FIUs should be able to obtain swiftly from any obliged entity all the necessary information relating to their functions. Their unfettered and swift access to information is essential to ensure that flows of money can be properly traced and illicit networks and flows detected at an early stage. The need for FIUs to obtain additional information from obliged entities based on a suspicion of money laundering or financing of terrorism might be triggered by a prior suspicious transaction report reported to the FIU, but might also be triggered through other means such as the FIU’s own analysis, intelligence provided by competent authorities or information held by another FIU. FIUs should therefore be able, in the context of their functions, to obtain information from any obliged entity, even without a prior report being made. Obliged entities should reply to a request for information by the FIU as soon as possible and, in any case, within five days of receipt of the request. In justified and urgent cases, the obliged entity should be able to respond to the FIU’s request within 24 hours. This does not include indiscriminate requests for information to the obliged entities in the context of the FIU's analysis, but only information requests based on sufficiently defined conditions. An FIU should also be able to obtain such information on a request made by another Union FIU and to exchange the information with the requesting FIU.
(80)For certain obliged entities, Member States should have the possibility to designate an appropriate self-regulatory body to be informed in the first instance instead of the FIU. In accordance with the case-law of the European Court of Human Rights, a system of first instance reporting to a self-regulatory body constitutes an important safeguard for upholding the protection of fundamental rights as concerns the reporting obligations applicable to lawyers. Member States should provide for the means and manner by which to achieve the protection of professional secrecy, confidentiality and privacy.
(81)Where a Member State decides to designate such a self-regulatory body, it may allow or require that body not to transmit to the FIU any information obtained from persons represented by that body where such information has been received from, or obtained on, one of their clients, in the course of ascertaining the legal position of their client, or in performing their task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, whether such information is received or obtained before, during or after such proceedings.
(82)Obliged entities should exceptionally be able to carry out suspicious transactions before informing the competent authorities where refraining from doing so is impossible or likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering or terrorist financing operation. However, this exception should not be invoked in relation to transactions concerned by the international obligations accepted by the Member States to freeze without delay funds or other assets of terrorists, terrorist organisations or those who finance terrorism, in accordance with the relevant United Nations Security Council resolutions.
(83)Confidentiality in relation to the reporting of suspicious transactions and to the provision of other relevant information to FIUs is essential in order to enable the competent authorities to freeze and seize assets potentially linked to money laundering, its predicate offences or terrorist financing. A suspicious transaction is not an indication of criminal activity. Disclosing that a suspicion has been reported may tarnish the reputation of the persons involved in the transaction and jeopardise the performance of analyses and investigations. Therefore, obliged entities and their directors and employees should not inform the customer concerned or a third party that information is being, will be, or has been submitted to the FIU, whether directly or through the self-regulatory body, or that a money laundering or terrorist financing analysis is being, or may be, carried out. The prohibition of disclosure should not apply in specific circumstances concerning, for example, disclosures to competent authorities and self-regulatory bodies when performing supervisory functions, or disclosures for law enforcement purposes or when the disclosures take place between obliged entities that belong to the same group.
(84)Criminals move illicit proceeds through numerous intermediaries to avoid detection. Therefore it is important to allow obliged entities to exchange information not only between group members, but also in certain cases between credit and financial institutions and other entities that operate within networks, with due regard to data protection rules.
(85)Regulation (EU) 2016/679 of the European Parliament and of the Council applies to the processing of personal data for the purposes of this Regulation. The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States.
(86)It is essential that the alignment of the AML/CFT framework with the revised FATF Recommendations is carried out in full compliance with Union law, in particular as regards Union data protection law and the protection of fundamental rights as enshrined in the Charter. Certain aspects of the implementation of the AML/CFT framework involve the collection, analysis, storage and sharing of data. Such processing of personal data should be permitted, while fully respecting fundamental rights, only for the purposes laid down in this Regulation, and for carrying out customer due diligence, ongoing monitoring, analysis and reporting of unusual and suspicious transactions, identification of the beneficial owner of a legal person or legal arrangement, identification of a politically exposed person and sharing of information by credit institutions and financial institutions and other obliged entities. The collection and subsequent processing of personal data by obliged entities should be limited to what is necessary for the purpose of complying with AML/CFT requirements and personal data should not be further processed in a way that is incompatible with that purpose. In particular, further processing of personal data for commercial purposes should be strictly prohibited.
(87)The revised FATF Recommendations demonstrate that, in order to be able to cooperate fully and comply swiftly with information requests from competent authorities for the purposes of the prevention, detection or investigation of money laundering and terrorist financing, obliged entities should maintain, for at least five years, the necessary information obtained through customer due diligence measures and the records on transactions. In order to avoid different approaches and in order to fulfil the requirements relating to the protection of personal data and legal certainty, that retention period should be fixed at five years after the end of a business relationship or an occasional transaction.
(88)When the notion of competent authorities refers to investigating and prosecuting authorities, it shall be interpreted as including the central and decentralised levels of the European Public Prosecutor's Office (EPPO) with regard to the Member States that participate in the enhanced cooperation on the establishment of the EPPO.
(89)For the purpose of ensuring the appropriate and efficient administration of justice during the period between the entry into force and application of this Regulation, and in order to allow for its smooth interaction with national procedural law, information and documents pertinent to ongoing legal proceedings for the purpose of the prevention, detection or investigation of possible money laundering or terrorist financing, which have been pending in the Member States on the date of entry into force of this Regulation, should be retained for a period of five years after that date, and it should be possible to extend that period for a further five years.
(90)The rights of access to data by the data subject are applicable to the personal data processed for the purpose of this Regulation. However, access by the data subject to any information related to a suspicious transaction report would seriously undermine the effectiveness of the fight against money laundering and terrorist financing. Exceptions to and restrictions of that right in accordance with Article 23 of Regulation (EU) 2016/679 may therefore be justified. The data subject has the right to request that a supervisory authority referred to in Article 51 of Regulation (EU) 2016/679 checks the lawfulness of the processing and has the right to seek a judicial remedy referred to in Article 79 of that Regulation. The supervisory authority may also act on an ex-officio basis. Without prejudice to the restrictions to the right to access, the supervisory authority should be able to inform the data subject that all necessary verifications by the supervisory authority have taken place, and of the result as regards the lawfulness of the processing in question.
(91)Obliged entities might resort to the services of other private operators. However, the AML/CFT framework should apply to obliged entities only, and obliged entities should retain full responsibility for compliance with AML/CFT requirements. In order to ensure legal certainty and to avoid that some services are inadvertently brought into the scope of this regulation, it is necessary to clarify that persons that merely convert paper documents into electronic data and are acting under a contract with an obliged entity, and persons that provide credit institutions or financial institutions solely with messaging or other support systems for transmitting funds or with clearing and settlement systems do not fall within the scope of this Regulation.
(92)Obliged entities should obtain and hold adequate and accurate information on the beneficial ownership and control of legal persons. As bearer shares accord the ownership to the person who possesses the bearer share certificate, they allow the beneficial owner to remain anonymous. To ensure that those shares are not misused for money laundering or terrorist financing purposes, companies - other than those with listed securities on a regulated market or whose shares are issued as intermediated securities - should convert all existing bearer shares into registered shares. In addition, only bearer share warrants in intermediated form should be allowed.
(93)The anonymity of crypto-assets exposes them to risks of misuse for criminal purposes. Anonymous crypto-asset wallets do not allow the traceability of crypto-asset transfers, whilst also making it difficult to identify linked transactions that may raise suspicion or to apply to adequate level of customer due diligence. In order to ensure effective application of AML/CFT requirements to crypto-assets, it is necessary to prohibit the provision and the custody of anonymous crypto-asset wallets by crypto-asset service providers.
(94)The use of large cash payments is highly vulnerable to money laundering and terrorist financing; this has not been sufficiently mitigated by the requirement for traders in goods to be subject to anti-money laundering rules when making or receiving cash payments of EUR 10 000 or more. At the same time, differences in approaches among Member States have undermined the level playing field within the internal market to the detriment of businesses located in Member States with stricter controls. It is therefore necessary to introduce a Union-wide limit to large cash payments of EUR 10 000. Member States should be able to adopt lower thresholds and further stricter provisions.
(95)The Commission should assess the costs, benefits and impacts of lowering the limit to large cash payments at Union level with a view to levelling further the playing field for businesses and reducing opportunities for criminals to use cash for money laundering. This assessment should consider in particular the most appropriate level for a harmonised limit to cash payments at Union level considering the current existing limits to cash payments in place in a large number of Member States, the enforceability of such a limit at Union level and the effects of such a limit on the legal tender status of the euro.
(96)The Commission should also assess the costs, benefits and impacts of lowering the threshold for the identification of beneficial owners when control is exercised through ownership. This assessment should consider in particular the lessons learned from Member States or third countries having introduced lower thresholds.
(97)In order to ensure consistent application of AML/CFT requirements, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Regulation by adopting delegated acts identifying high-risk third countries, third countries with compliance weaknesses and countries that pose a threat to the Union’s financial system and defining harmonised and proportionate enhanced due diligence measures as well as, where relevant, mitigating measures as well as the regulatory technical standards setting out the minimum requirements of group-wide policies, controls and procedures and the conditions under which structures which share common ownership, management or compliance controls are required to apply group-wide policies, controls and procedures, the actions to be taken by groups when the laws of third countries do not permit the application of group-wide policies, controls and procedures and supervisory measures, the sectors and transactions subject to lower thresholds for the performance of customer due diligence and the information necessary for the performance of customer due diligence. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(98)In order to ensure uniform conditions for the application of this Regulation, implementing powers should be conferred on the Commission in order to identify legal arrangements similar to express trusts governed by the national laws of Member States as well as to adopt implementing technical standards specifying the format to be used for the reporting of suspicious transactions. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.
(99)This Regulation respects the fundamental rights and observes the principles recognised by the Charter, in particular the right to respect for private and family life (Article 7 of the Charter), the right to the protection of personal data (Article 8 of the Charter) and the freedom to conduct a business (Article 16 of the Charter).
(100)In accordance with Article 21 of the Charter, which prohibits discrimination based on any grounds, obliged entities should perform risk assessments in the context of customer due diligence without discrimination.
(101)When drawing up a report evaluating the implementation of this Regulation, the Commission should give due consideration to the respect of the fundamental rights and principles recognised by the Charter.
(102)Since the objective of this Regulation, namely to prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(103)The European Data Protection Supervisor has been consulted in accordance with Article 42 of Regulation (EU) 2018/1725 [and delivered an opinion on ...],
HAVE ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISIONS
Section 1
Subject matter and definitions
Article 1
Subject matter
This Regulation lays down rules concerning:
(a)the measures to be applied by obliged entities to prevent money laundering and terrorist financing;
(b)beneficial ownership transparency requirements for legal entities and arrangements;
(c)measures to limit the misuse of bearer instruments.
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
(1)‘money laundering’ means the conduct as set out in Article 3, paragraphs 1 and 5 of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country. Knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;
(2)‘terrorist financing’ means the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country. Knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;
(3)‘criminal activity’ means criminal activity as defined in Article 2(1) of Directive (EU) 2018/1673, as well as fraud affecting the Union’s financial interests as defined in Article 3(2) of Directive (EU) 2017/1371, passive and active corruption as defined in Article 4 (2) and misappropriation as defined in Article 4(3), second subparagraph of that Directive;
(4)‘property’ means property as defined in Article 2(2) of Directive (EU) 2018/1673;
(5)‘credit institution’ means a credit institution as defined in Article 4(1), point (1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council, including branches thereof, as defined in Article 4(1), point (17) of that Regulation, located in the Union, whether their head office is situated within the Union or in a third country;
(6)‘financial institution’ means:
(a)an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council, including the activities of currency exchange offices (bureaux de change), or the principal activity of which is to acquire holdings, including a financial holding company and a mixed financial holding company;
(b)an insurance undertaking as defined in Article 13, point (1) of Directive 2009/138/EC of the European Parliament and of the Council, insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g) of Directive 2009/138/EC;
(c)an insurance intermediary as defined in Article 2(1), point (3) of Directive (EU) 2016/97 of the European Parliament and of the Council where it acts with respect to life insurance and other investment-related services;
(d)an investment firm as defined in Article 4(1), point (1) of Directive 2014/65/EU of the European Parliament and of the Council;
(e)a collective investment undertaking, in particular:
(i) an undertaking for collective investment in transferable securities as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1)(b) of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
(ii) an alternative investment fund as defined in Article 4(1)(a) of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1)(b) of that Directive that fall within the scope set out in Article 2 of that Directive;
(f)branches of financial institutions as defined in points (a) to (e), when located in the Union, whether their head office is situated in a Member State or in a third country;
(7)‘trust or company service provider’ means any person that, by way of its business, provides any of the following services to third parties:
(a)the formation of companies or other legal persons;
(b)acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;
(c)providing a registered office, business address, correspondence or administrative address and other related services for a company, a partnership or any other legal person or arrangement;
(d)acting as, or arranging for another person to act as, a trustee of an express trust or performing an equivalent function for a similar legal arrangement;
(e)acting as, or arranging for another person to act as, a nominee shareholder for another person;
(8)‘gambling services’ means a service which involves wagering a stake with monetary value in games of chance, including those with an element of skill such as lotteries, casino games, poker games and betting transactions that are provided at a physical location, or by any means at a distance, by electronic means or any other technology for facilitating communication, and at the individual request of a recipient of services;
(9)‘mortgage creditor’ means a creditor as defined in Article 4, point (2) of Directive 2014/17/EU of the European Parliament and of the Council;
(10)‘mortgage credit intermediary’ means a credit intermediary as defined in Article 4, point (5) of Directive 2014/17/EU;
(11)‘consumer creditor‘ means a creditor as defined in Article 3, point (b) of Directive 2008/48/EC of the European Parliament and of the Council;
(12)‘consumer a credit intermediary’ means a credit intermediary as defined in Article 3, point (f) of Directive 2008/48/EC;
(13)‘crypto-asset’ means a crypto-asset as defined in Article 3(1), point (2) of Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final] except when falling under the categories listed in Article 2(2) of that Regulation or not otherwise qualifying as funds;
(14)‘crypto-asset service provider’ means a crypto-assets service provider as defined in Article 3(1), point (8) of Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final] where performing one or more crypto-asset services as defined in Article 3(1) point (9) of that Regulation;
(15)‘electronic money’ means electronic money as defined in Article 2, point (2) of Directive 2009/110/EC, but excluding monetary value as referred to in Article 1(4) and (5) of that Directive;
(16)‘business relationship’ means a business, professional or commercial relationship which is connected with the professional activities of an obliged entity and which is expected, at the time when the contact is established, to have an element of duration, including a relationship where an obliged entity is asked to form a company or set up a trust for its customer, whether or not the formation of the company or setting up of the trust is the only transaction carried out for that customer;
(17)‘linked transactions’ means two or more transactions with either identical or similar origin and destination, over a specific period of time;
(18)‘third country’ means any jurisdiction, independent state or autonomous territory that is not part of the European Union but that has its own AML/CFT legislation or enforcement regime;
(19)‘correspondent relationship’ means:
(a)the provision of banking services by one credit institution as the correspondent to another credit institution as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
(b)the relationships between and among credit institutions and financial institutions including where similar services are provided by a correspondent institution to a respondent institution, and including relationships established for securities transactions or funds transfers;
(20)‘shell bank’ means a credit institution or financial institution, or an institution that carries out activities equivalent to those carried out by credit institutions and financial institutions, incorporated in a jurisdiction in which it has no physical presence, involving meaningful mind and management, and which is unaffiliated with a regulated financial group;
(21)‘Legal Entity Identifier’ means a unique alphanumeric reference code based on the ISO 17442 standard assigned to a legal entity;
(22)‘beneficial owner’ means any natural person who ultimately owns or controls a legal entity or express trust or similar legal arrangement, as well as any natural person on whose behalf or for the benefit of whom a transaction or activity is being conducted;
(23)‘legal arrangement’ means an express trust or an arrangement which has a similar structure or function to an express trust, including fiducie and certain types of Treuhand and fideicomiso;
(24)‘formal nominee arrangement’ means a contract or a formal arrangement with an equivalent legal value to a contract, between the nominee and the nominator, where the nominator is a legal entity or natural person that issues instructions to a nominee to act on their behalf in a certain capacity, including as a director or shareholder, and the nominee is a legal entity or natural person instructed by the nominator to act on their behalf;
(25)‘politically exposed person’ means a natural person who is or has been entrusted with the following prominent public functions:
(a)in a Member State:
(i) heads of State, heads of government, ministers and deputy or assistant ministers;
(ii) members of parliament or of similar legislative bodies;
(iii) members of the governing bodies of political parties;
(iv) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
(v) members of courts of auditors or of the boards of central banks;
(vi) ambassadors, chargés d'affaires and high-ranking officers in the armed forces;
(vii) members of the administrative, management or supervisory bodies of State-owned enterprises;
(b)in an international organisation:
(i) the highest ranking official, his/her deputies and members of the board or equivalent function of an international organisation;
(ii) representatives to a Member State or to the Union;
(c)at Union level:
(i) functions at the level of Union institutions and bodies that are equivalent to those listed in points (a)(i), (ii), (iv), (v) and (vi);
(d)in a third country:
(i) functions that are equivalent to those listed in point (a);
(26)‘family members’ means:
(a)the spouse, or the person in a registered partnership or civil union or in a similar arrangement;
(b)the children and the spouses of, or persons in a registered partnership or civil union or in a similar arrangement with, those children;
(c)the parents;
(27)‘persons known to be close associates’ means:
(a)natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person;
(b)natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person;
(28)‘senior management’ means, in addition to executive members of the board of directors or, if there is no board, of its equivalent governing body, an officer or employee with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure;
(29)‘group’ means a group of undertakings which consists of a parent undertaking, its subsidiaries, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU of the European Parliament and of the Council;
(30)‘cash’ means currency, bearer-negotiable instruments, commodities used as highly-liquid stores of value and prepaid cards, as defined in Article 2(1), points (c) to (f) of Regulation (EU) 2018/1672 of the European Parliament and of the Council;
(31)‘competent authority’ means:
(a)a Financial Intelligence Unit;
(b)a supervisory authority as defined under point (33);
(c)a public authority that has the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets;
(d)a public authority with designated responsibilities for combating money laundering or terrorist financing;
(32)‘supervisor’ means the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including the Authority for anti-money laundering and countering the financing of terrorism (AMLA) when performing the tasks entrusted on it in Article 5(2) of Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final];
(33)‘supervisory authority’ means a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 29 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final];
(34)‘self-regulatory body’ means a body that represents members of a profession and has a role in regulating them, in performing certain supervisory or monitoring functions and in ensuring the enforcement of the rules relating to them;
(35)‘targeted financial sanctions’ means both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 of the Treaty on European Union and Council Regulations adopted on the basis of Article 215 of the Treaty on the Functioning of the European Union;
(36)‘proliferation financing-related targeted financial sanctions’ means those targeted financial sanctions referred to in point (35) that are imposed pursuant to Council Decision (CFSP) 2016/849 and Council Decision 2010/413/CFSP and pursuant to Council Regulation (EU) 2017/1509 and Council Regulation (EU) 267/2012.
Section 2
Scope
Article 3
Obliged entities
The following entities are to be considered obliged entities for the purposes of this Regulation:
(1)credit institutions;
(2)financial institutions;
(3)the following natural or legal persons acting in the exercise of their professional activities:
(a) auditors, external accountants and tax advisors, and any other natural or legal person that undertakes to provide, directly or by means of other persons to which that other person is related, material aid, assistance or advice on tax matters as principal business or professional activity;
(b) notaries and other independent legal professionals, where they participate, whether by acting on behalf of and for their client in any financial or real estate transaction, or by assisting in the planning or carrying out of transactions for their client concerning any of the following:
(i) buying and selling of real property or business entities;
(ii) managing of client money, securities or other assets;
(iii) opening or management of bank, savings or securities accounts;
(iv) organisation of contributions necessary for the creation, operation or management of companies;
(v) creation, operation or management of trusts, companies, foundations, or similar structures;
(c) trust or company service providers;
(d) estate agents, including when acting as intermediaries in the letting of immovable property for transactions for which the monthly rent amounts to EUR 10 000 or more, or the equivalent in national currency;
(e) persons trading in precious metals and stones;
(f) providers of gambling services;
(g) crypto-asset service providers;
(h) crowdfunding service providers other than those regulated by Regulation (EU) 2020/1503;
(i) persons trading or acting as intermediaries in the trade of works of art, including when this is carried out by art galleries and auction houses, where the value of the transaction or linked transactions amounts to at least EUR 10 000 or the equivalent in national currency;
(j) persons storing, trading or acting as intermediaries in the trade of works of art when this is carried out within free zones and customs warehouses, where the value of the transaction or linked transactions amounts to at least EUR 10 000 or the equivalent in national currency;
(k) creditors for mortgage and consumer credits, other than credit institutions defined in Article 2(5) and financial institutions defined in Article 2(6), and credit intermediaries for mortgage and consumer credits;
(l) investment migration operators permitted to represent or offer intermediation services to third country nationals seeking to obtain residence rights in a Member State in exchange of any kind of investment, including capital transfers, purchase or renting of property, investment in government bonds, investment in corporate entities, donation or endowment of an activity to the public good and contributions to the state budget.
Article 4
Exemptions for certain providers of gambling services
1.With the exception of casinos, Member States may decide to exempt, in full or in part, providers of gambling services from the requirements set out in this Regulation on the basis of the proven low risk posed by the nature and, where appropriate, the scale of operations of such services.
2.For the purposes of paragraph 1, Member States shall carry out a risk assessment of gambling services assessing:
(a)money laundering and terrorist financing vulnerabilities and mitigating factors of the gambling services;
(b)the risks linked to the size of the transactions and payment methods used;
(c)the geographical area in which the gambling service is administered.
When carrying out such risk assessments, Member States shall take into account the findings of the risk assessment drawn up by the Commission pursuant to Article 7 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
3.Member States shall establish risk-based monitoring activities or take other adequate measures to ensure that the exemptions granted pursuant to this Article are not abused.
Article 5
Exemptions for certain financial activities
1.With the exception of persons engaged in the activity of money remittance as defined in Article 4, point (22) of Directive (EU) 2015/2366, Member States may decide to exempt persons that engage in a financial activity as listed in Annex I, points (2) to (12), (14) and (15), to Directive 2013/36/EU on an occasional or very limited basis where there is little risk of money laundering or terrorist financing from the requirements set out in this Regulation, provided that all of the following criteria are met:
(a)the financial activity is limited in absolute terms;
(b)the financial activity is limited on a transaction basis;
(c)the financial activity is not the main activity of such persons;
(d)the financial activity is ancillary and directly related to the main activity of such persons;
(e)the main activity of such persons is not an activity referred to in Article 3, point (3)(a) to (d) or (f);
(f)the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public.
2.For the purposes of paragraph 1, point (a), Member States shall require that the total turnover of the financial activity does not exceed a threshold which shall be sufficiently low. That threshold shall be established at national level, depending on the type of financial activity.
3.For the purposes of paragraph 1, point (b), Member States shall apply a maximum threshold per customer and per single transaction, whether the transaction is carried out in a single operation or in several operations which appear to be linked. That maximum threshold shall be established at national level, depending on the type of financial activity. It shall be sufficiently low in order to ensure that the types of transactions in question are an impractical and inefficient method for money laundering or terrorist financing, and shall not exceed EUR 1 000 or the equivalent in national currency.
4.For the purposes of paragraph 1, point (c), Member States shall require that the turnover of the financial activity does not exceed 5 % of the total turnover of the natural or legal person concerned.
5.In assessing the risk of money laundering or terrorist financing for the purposes of this Article, Member States shall pay particular attention to any financial activity which is considered to be particularly likely, by its nature, to be used or abused for the purposes of money laundering or terrorist financing.
6.Member States shall establish risk-based monitoring activities or take other adequate measures to ensure that the exemptions granted pursuant to this Article are not abused.
Article 6
Prior notification of exemptions
1.Member States shall notify the Commission of any exemption that they intend to grant in accordance with Articles 4 and 5 without delay. The notification shall include a justification based on the relevant risk assessment for the exemption.
2.The Commission shall within two months from the notification referred to in paragraph 2 take one of the following actions:
(a)confirm that the exemption may be granted;
(b)by reasoned decision, declare that the exemption may not be granted.
3.Upon reception of a decision by the Commission pursuant to paragraph 2(a), Member States may adopt the decision granting the exemption. Such decision shall state the reasons on which it is based. Member States shall review such decisions regularly, and in any case when they update their national risk assessment pursuant to Article 8 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
4.By [3 months from the date of application of this Regulation], Member States shall notify to the Commission the exemptions granted pursuant to Article 2(2) and (3) of Directive (EU) 2015/849 in place at the time of the date of application of this Regulation.
5.The Commission shall publish every year in the Official Journal of the European Union the list of exemptions granted pursuant to this Article.
CHAPTER II
INTERNAL POLICIES, CONTROLS AND PROCEDURES OF OBLIGED ENTITIES
SECTION 1
Internal procedures, risk assessment and staff
Article 7
Scope of internal policies, controls and procedures
1.Obliged entities shall have in place policies, controls and procedures in order to ensure compliance with this Regulation and in particular to:
(a)mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity;
(b)in addition to the obligation to apply targeted financial sanctions, mitigate and manage the risks of non-implementation and evasion of proliferation financing-related targeted financial sanctions.
Those policies, controls and procedures shall be proportionate to the nature and size of the obliged entity.
2.The policies, controls and procedures referred to in paragraph 1 shall include:
(a)the development of internal policies, controls and procedures, including risk management practices, customer due diligence, reporting, reliance and record-keeping, the monitoring and management of compliance with such policies, controls and procedures, as well as policies in relation to the processing of personal data pursuant to Article 55;
(b)policies, controls and procedures to identify, scrutinise and manage business relationships or occasional transactions that pose a higher or lower money laundering and terrorist financing risk;
(c)an independent audit function to test the internal policies, controls and procedures referred to in point (a);
(d)the verification, when recruiting and assigning staff to certain tasks and functions and when appointing its agents and distributors, that those persons are of good repute, proportionate to the risks associated with the tasks and functions to be performed;
(e)the internal communication of the obliged entity’s internal policies, controls and procedures, including to its agents and distributors;
(f)a policy on the training of employees and, where relevant, its agents and distributors with regard to measures in place in the obliged entity to comply with the requirements of this Regulation.
The internal policies, controls and procedures set out in the first subparagraph, points (a) to (f) shall be recorded in writing. The senior management shall approve those policies controls and procedures.
3.The obliged entities shall keep the policies, controls and procedures up to date, and enhance them where weaknesses are identified.
4.By [2 years after the entry into force of this Regulation], AMLA shall issue guidelines on the elements that obliged entities should take into account when deciding on the extent of their internal policies, controls and procedures.
Article 8
Risk assessment
1.Obliged entities shall take appropriate measures, proportionate to their nature and size, to identify and assess the risks of money laundering and terrorist financing to which they are exposed, as well as the risks of non-implementation and evasion of proliferation financing-related targeted financial sanctions, taking into account:
(a)the risk variables set out in Annex I and the risk factors set out in Annexes II and III;
(b)the findings of the supra-national risk assessment drawn up by the Commission pursuant to Article 7 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final];
(c)the findings of the national risk assessments carried out by the Member States pursuant to Article 8 of [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
2.The risk assessment drawn up by the obliged entity pursuant to paragraph 1 shall be documented, kept up-to-date and made available to supervisors.
3.Supervisors may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.
Article 9
Compliance functions
1.Obliged entities shall appoint one executive member of their board of directors or, if there is no board, of its equivalent governing body who shall be responsible for the implementation of measures to ensure compliance with this Regulation (‘compliance manager’). Where the entity has no governing body, the function should be performed by a member of its senior management.
2.The compliance manager shall be responsible for implementing the obliged entity’s policies, controls and procedures and for receiving information on significant or material weaknesses in such policies, controls and procedures. The compliance manager shall regularly report on those matters to the board of director or equivalent governing body. For parent undertakings, that person shall also be responsible for overseeing group-wide policies, controls and procedures.
3.Obliged entities shall have a compliance officer, to be appointed by the board of directors or governing body, who shall be in charge of the day-to-day operation of the obliged entity’s anti-money laundering and countering the financing of terrorism (AML/CFT) policies. That person shall also be responsible for reporting suspicious transactions to the Financial Intelligence Unit (FIU) in accordance with Article 50(6).
In the case of obliged entities subject to checks on their senior management or beneficial owners pursuant to Article 6 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] or under other Union acts, compliance officers shall be subject to verification that they comply with those requirements.
An obliged entity that is part of a group may appoint as its compliance officer an individual who performs that function in another entity within that group.
4.Obliged entities shall provide the compliance functions with adequate resources, including staff and technology, in proportion to the size, nature and risks of the obliged entity for the implementation of compliance functions, and shall ensure that the powers to propose any measures necessary to ensure the effectiveness of the obliged entity’s internal policies, controls and procedures are granted to the persons responsible for those functions.
5.The compliance manager shall submit once a year, or more frequently where appropriate, to the governing body a report on the implementation of the obliged entity’s internal policies, controls and procedures, and shall keep the management body informed of the outcome of any reviews. The governing body shall take the necessary actions to remedy any deficiencies identified in a timely manner.
6.Where the size of the obliged entity justifies it, the functions referred to in paragraphs 1 and 3 may be performed by the same natural person.
Where the obliged entity is a natural person or a legal person whose activities are performed by one natural person only, that person shall be responsible for performing the tasks under this Article.
Article 10
Awareness of requirements
Obliged entities shall take measures to ensure that their employees whose function so requires, as well as their agents and distributors are aware of the requirements arising from this Regulation and of the internal policies, controls and procedures in place in the obliged entity, including in relation to the processing of personal data for the purposes of this Regulation.
The measures referred to in the first subparagraph shall include the participation of employees in specific, ongoing training programmes to help them recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases. Such training programmes shall be duly documented.
Article 11
Integrity of employees
1.Any employee of an obliged entity entrusted with tasks related to the obliged entity’s compliance with this Regulation and Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final] shall undergo an assessment approved by the compliance officer of:
(a)individual skills, knowledge and expertise to carry out their functions effectively;
(b)good repute, honesty and integrity.
2.Employees entrusted with tasks related to the obliged entity’s compliance with this Regulation shall inform the compliance officer of any close private or professional relationship established with the obliged entity’s customers or prospective customers and shall be prevented from undertaking any tasks related to the obliged entity’s compliance in relation to those customers.
3.Obliged entities shall have in place appropriate procedures for their employees, or persons in a comparable position, to report breaches of this Regulation internally through a specific, independent and anonymous channel, proportionate to the nature and size of the obliged entity concerned.
Obliged entities shall take measures to ensure that employees, managers or agents who report breaches pursuant to the first subparagraph are protected against retaliation, discrimination and any other unfair treatment.
4.This Article shall not apply to obliged entities that are sole traders.
Article 12
Situation of specific employees
Where a natural person falling within any of the categories listed in Article 3, point (3) performs professional activities as an employee of a legal person, the requirements laid down in this Section shall apply to that legal person rather than to the natural person.
SECTION 2
Provisions applying to groups
Article 13
Group-wide requirements
1.A parent undertaking shall ensure that the requirements on internal procedures, risk assessment and staff referred to in Section 1 of this Chapter apply in all branches and subsidiaries of the group in the Member States and, for groups whose parent undertaking is established in the Union in third countries. The group-wide policies, controls and procedures shall also include data protection policies and policies, controls and procedures for sharing information within the group for AML/CFT purposes.
2.The policies, controls and procedures pertaining to the sharing of information referred to in paragraph 1 shall require obliged entities within the group to exchange information when such sharing is relevant for preventing money laundering and terrorist financing. The sharing of information within the group shall cover in particular the identity and characteristics of the customer, its beneficial owners or the person on behalf of whom the customer acts, the nature and purpose of the business relationship and the suspicions that funds are the proceeds of criminal activity or are related to terrorist financing reported to FIU pursuant to Article 50, unless otherwise instructed by the FIU.
Groups shall put in place group-wide policies, controls and procedures to ensure that the information exchanged pursuant to the first subparagraph is subject to sufficient guarantees in terms of confidentiality, data protection and use of the information, including to prevent its disclosure.
3.By [2 years from the entry into force of this Regulation], AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify the minimum requirements of group-wide policies, including minimum standards for information sharing within the group, the role and responsibilities of parent undertakings that are not themselves obliged entities with respect to ensuring group-wide compliance with AML/CFT requirements and the conditions under which the provisions of this Article apply to entities that are part of structures which share common ownership, management or compliance control, including networks or partnerships.
4.The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 of this Article in accordance with Articles 38 to 41 of Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
Article 14
Branches and subsidiaries in third countries
1.Where branches or subsidiaries of obliged entities are located in third countries where the minimum AML/CFT requirements are less strict than those set out in this Regulation, the obliged entity concerned shall ensure that those branches or subsidiaries comply with the requirements laid down in this Regulation, including requirements concerning data protection, or equivalent.
2.Where the law of a third country does not permit compliance with the requirements laid down in this Regulation, obliged entities shall take additional measures to ensure that branches and subsidiaries in that third country effectively handle the risk of money laundering or terrorist financing, and the head office shall inform the supervisors of their home Member State. Where the supervisors of the home Member State consider that the additional measures are not sufficient, they shall exercise additional supervisory actions, including requiring the group not to establish any business relationship, to terminate existing ones or not to undertake transactions, or to close down its operations in the third country.
3.By [2 years after the date of entry into force of this Regulation], AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify the type of additional measures referred to in paragraph 2, including the minimum action to be taken by obliged entities where the law of a third country does not permit the implementation of the measures required under Article 13 and the additional supervisory actions required in such cases.
4.The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 of this Article in accordance with Articles 38 to 41 of Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
CHAPTER III
CUSTOMER DUE DILIGENCE
SECTION 1
General provisions
Article 15
Application of customer due diligence
1.Obliged entities shall apply customer due diligence measures in any of the following circumstances:
(a)when establishing a business relationship;
(b)when involved in or carrying out an occasional transaction that amounts to EUR 10 000 or more, or the equivalent in national currency, whether that transaction is carried out in a single operation or through linked transactions, or a lower threshold laid down pursuant to paragraph 5;
(c)when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;
(d)when there are doubts about the veracity or adequacy of previously obtained customer identification data.
2.In addition to the circumstances referred to in paragraph 1, credit and financial institutions and crypto-asset service providers shall apply customer due diligence when either initiating or executing an occasional transaction that constitutes a transfer of funds as defined in Article 3, point (9) of Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final], or a transfer of crypto-assets as defined in Article 3, point (10) of that Regulation
, exceeding EUR 1 000 or the equivalent in national currency.
3.Providers of gambling services shall apply customer due diligence upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to at least EUR 2 000 or the equivalent in national currency, whether the transaction is carried out in a single operation or in linked transactions.
4.In the case of credit institutions, the performance of customer due diligence shall also take place, under the oversight of supervisors, at the moment that the institution has been determined failing or likely to fail pursuant to Article 32(1) of Directive 2014/59/EU of the European Parliament and of the Council or when the deposits are unavailable in accordance with Article 2(1)(8) of Directive 2014/49/EU of the European Parliament and of the Council. Supervisors shall decide on the intensity and scope of such customer due diligence measures having regard to the specific circumstances of the credit institution.
5.By [2 years from the date of entry into force of this Regulation], AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify:
(a)the obliged entities, sectors or transactions that are associated with higher money laundering and terrorist financing risk and which shall comply with thresholds lower than those set in paragraph 1 point (b);
(b)the related occasional transaction thresholds;
(c)the criteria to identify linked transactions.
When developing the draft regulatory technical standards referred to in the first sub-paragraph, AMLA shall take due account of the following:
(a)the inherent levels of risks of the business models of the different types of obliged entities;
(b)the supra-national risk assessment developed by the Commission pursuant to Article 7 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
6.The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 5 of this Article in accordance with Articles 38 to 41 of [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
Article 16
Customer due diligence measures
1.For the purpose of conducting customer due diligence, obliged entities shall apply all of the following measures:
(a)identify the customer and verify the customer’s identity;
(b)identify the beneficial owner(s) pursuant to Articles 42 and 43 and verify their identity so that the obliged entity is satisfied that it knows who the beneficial owner is and that it understands the ownership and control structure of the customer;
(c)assess and, as appropriate, obtain information on the purpose and intended nature of the business relationship;
(d)conduct ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of the business relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds.
When applying the measures referred to in points (a) and (b) of the first subparagraph, obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and shall identify and verify the identity of that person in accordance with Article 18.
2.Obliged entities shall determine the extent of the measures referred to in paragraph 1 on the basis of an individual analysis of the risks of money laundering and terrorist financing having regard to the specific characteristics of the client and of the business relationship or occasional transaction, and taking into account the risk assessment by the obliged entity pursuant to Article 8 and the money laundering and terrorist financing variables set out in Annex I as well as the risk factors set out in Annexes II and III.
Where obliged entities identify an increased risk of money laundering or terrorist financing they shall take enhanced due diligence measures pursuant to Section 4 of this Chapter. Where situations of lower risk are identified, obliged entities may apply simplified due diligence measures pursuant to Section 3 of this Chapter.
3.By [2 years after the date of application of this Regulation], AMLA shall issue guidelines on the risk variables and risk factors to be taken into account by obliged entities when entering into business relationships or carrying out occasional transactions.
4.Obliged entities shall at all times be able to demonstrate to their supervisors that the measures taken are appropriate in view of the risks of money laundering and terrorist financing that have been identified.
Article 17
Inability to comply with the requirement to apply customer due diligence measures
1.Where an obliged entity is unable to comply with the customer due diligence measures laid down in Article 16(1), it shall refrain from carrying out a transaction or establishing a business relationship, and shall terminate the business relationship and consider filing a suspicious transaction report to the FIU in relation to the customer in accordance with Article 50.
The first subparagraph shall not apply to notaries, lawyers and other independent legal professionals, auditors, external accountants and tax advisors, to the strict extent that those persons ascertain the legal position of their client, or perform the task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings.
2.Where obliged entities either accept or refuse to enter in a business relationship, they shall keep record of the actions taken in order to comply with the requirement to apply customer due diligence measures, including records of the decisions taken and the relevant supporting documents. Documents, data or information held by the obliged entity shall be updated whenever the customer due diligence is reviewed pursuant to Article 21.
Article 18
Identification and verification of the customer’s identity
1.With the exception of cases of lower risk to which measures under Section 3 apply and irrespective of the application of additional measures in cases of higher risk under Section 4 obliged entities shall obtain at least the following information in order to identify the customer and the person acting on their behalf:
(a)for a natural person:
(i) the forename and surname;
(ii) place and date of birth;
(iii) nationality or nationalities, or statelessness and refugee or subsidiary protection status where applicable, and the national identification number, where applicable;
(iv) the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached and, where possible, the occupation, profession, or employment status and the tax identification number;
(b)for a legal entity:
(i) legal form and name of the legal entity;
(ii) address of the registered or official office and, if different, the principal place of business, and the country of incorporation;
(iii) the names of the legal representatives as well as, where available, the registration number, the tax identification number and the Legal Entity Identifier. Obliged entities shall also verify that the legal entity has activities on the basis of accounting documents for the latest financial year or other relevant information;
(c)for a trustee of an express trust or a person holding an equivalent position in a similar legal arrangement:
(i) the information referred to in Article 44(1), points (a) and (b), and in point (b) of this paragraph for all the persons identified as beneficial owners;
(ii) the address of residence of the trustee(s) or person(s) holding an equivalent position in a similar legal arrangement, and the powers that regulate and bind the legal arrangements, as well as, where available, the tax identification number and the Legal Entity Identifier;
(d)for other organisations that have legal capacity under national law:
(i) name, address of the registered office or equivalent;
(ii) names of the persons empowered to represent the organisation as well as, where applicable, legal form, tax identification number, register number, Legal Entity Identifier and deeds of association or equivalent.
2.For the purposes of identifying the beneficial owner of a legal entity, obliged entities shall collect the information referred to in Article 44(1), point (a), and the information referred to in paragraph 1, point (b), of this Article.
Where, after having exhausted all possible means of identification pursuant to the first subparagraph, no natural person is identified as beneficial owner, or where there is any doubt that the person(s) identified is/are the beneficial owner(s), obliged entities shall identify the natural person(s) holding the position(s) of senior managing official(s) in the corporate or other legal entity and shall verify their identity. Obliged entities shall keep records of the actions taken as well as of the difficulties encountered during the identification process, which led to resorting to the identification of a senior managing official.
3.In the case of beneficiaries of trusts or similar legal entities or arrangements that are designated by particular characteristics or class, an obliged entity shall obtain sufficient information concerning the beneficiary so that it will be able to establish the identity of the beneficiary at the time of the payout or at the time of the exercise by the beneficiary of its vested rights.
4.Obliged entities shall obtain the information, documents and data necessary for the verification of the customer and beneficial owner identity through either of the following:
(a)the submission of the identity document, passport or equivalent and the acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer;
(b)the use of electronic identification means and relevant trust services as set out in Regulation (EU) 910/2014.
For the purposes of verifying the information on the beneficial owner(s), obliged entities shall also consult the central registers referred to in Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] as well as additional information. Obliged entities shall determine the extent of the additional information to be consulted, having regard to the risks posed by the transaction or the business relationship and the beneficial owner.
Article 19
Timing of the verification of the customer and beneficial owner identity
1.Verification of the identity of the customer and of the beneficial owner shall take place before the establishment of a business relationship or the carrying out of an occasional transaction. Such obligation shall not apply to situations of lower risk under Section 3 of this Chapter, provided that the lower risk justifies postponement of such verification.
2.By way of derogation from paragraph 1, verification of the identity of the customer and of the beneficial owner may be completed during the establishment of a business relationship if necessary so as not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing. In such situations, those procedures shall be completed as soon as practicable after initial contact.
3.By way of derogation from paragraph 1, a credit institution or financial institution may open an account, including accounts that permit transactions in transferable securities, as may be required by a customer provided that there are adequate safeguards in place to ensure that transactions are not carried out by the customer or on its behalf until full compliance with the customer due diligence requirements laid down in Article 16(1), first subparagraph, points (a) and (b) is obtained.
4.Whenever entering into a new business relationship with a legal entity or the trustee of an express trust or the person holding an equivalent position in a similar legal arrangement referred to in Articles 42, 43 and 48 and subject to the registration of beneficial ownership information pursuant to Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final], obliged entities shall collect proof of registration or an excerpt of the register.
Article 20
Identification of the purpose and intended nature of a business relationship or occasional transaction
Before entering into a business relationship or performing an occasional transaction, an obliged entity shall obtain at least the following information in order to understand its purpose and intended nature:
(a)the purpose of the envisaged account, transaction or business relationship;
(b)the estimated amount and economic rationale of the envisaged transactions or activities;
(c)the source of funds;
(d)the destination of funds.
Article 21
Ongoing monitoring of the business relationship and monitoring of transactions performed by customers
1.Obliged entities shall conduct ongoing monitoring of the business relationship, including transactions undertaken by the customer throughout the course of that relationship, to control that those transactions are consistent with the obliged entity’s knowledge of the customer, the customer’s business activity and risk profile, and where necessary, with the information about the origin of the funds and to detect those transactions that shall be made subject to a more thorough analysis pursuant to Article 50.
2.In the context of the ongoing monitoring referred to in paragraph 1, obliged entities shall ensure that the relevant documents, data or information of the customer are kept up-to-date.
The frequency of updating customer information pursuant to the first sub-paragraph shall be based on the risk posed by the business relationship. The frequency of updating of customer information shall in any case not exceed five years.
3.In addition to the requirements set out in paragraph 2, obliged entities shall review and, where relevant, update the customer information where:
(a)there is a change in the relevant circumstances of a customer;
(b)the obliged entity has a legal obligation in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owner(s) or to comply with Council Directive 2011/16/EU;
(c)they become aware of a relevant fact which pertains to the customer.
4.By [2 years after the entry into force of this Regulation], AMLA shall issue guidelines on ongoing monitoring of a business relationship and on the monitoring of the transactions carried out in the context of such relationship.
Article 22
Regulatory technical standards on the information necessary for the performance of customer due diligence
1.By [2 years after the entry into force of this Regulation] AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify:
(a)the requirements that apply to obliged entities pursuant to Article 16 and the information to be collected for the purpose of performing standard, simplified and enhanced customer due diligence pursuant to Articles 18 and 20 and Articles 27(1) and 28(4), including minimum requirements in situations of lower risk;
(b)the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 27(1),including measures applicable to specific categories of obliged entities and products or services, having regard to the results of the supra-national risk assessment drawn up by the Commission pursuant to Article 7 of [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final];
(c)the reliable and independent sources of information that may be used to verify the identification data of natural or legal persons for the purposes of Article 18(4);
(d)the list of attributes which electronic identification means and relevant trust services referred to in Article 18(4), point (b), must feature in order to fulfil the requirements of Article 16, points (a), (b) and (c) in case of standard, simplified and enhanced customer diligence.
2.The requirements and measures referred to in paragraph 1, points (a) and (b), shall be based on the following criteria:
(a)the inherent risk involved in the service provided;
(b)the nature, amount and recurrence of the transaction;
(c)the channels used for conducting the business relationship or the occasional transaction.
3.AMLA shall review regularly the regulatory technical standards and, if necessary, prepare and submit to the Commission the draft for updating those standards in order, inter alia, to take account of innovation and technological developments.
4.The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in paragraphs 1 and 3 of this Article in accordance with Articles 38 to 41 of Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
SECTION 2
Third-country policy and ML/TF threats from outside the Union
Article 23
Identification of third countries with significant strategic deficiencies in their national AML/CFT regimes
1.Third countries with significant strategic deficiencies in their national AML/CFT regimes shall be identified by the Commission and designated as ‘high-risk third countries’.
2.In order to identify the countries referred to in paragraph 1, the Commission is empowered to adopt delegated acts in accordance with Article 60 to supplement this Regulation, where:
(a)significant strategic deficiencies in the legal and institutional AML/CFT framework of the third country have been identified;
(b)significant strategic deficiencies in the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks have been identified;
(c)the significant strategic deficiencies identified under points (a) and (b) are of a persistent nature and no measures to mitigate them have been taken or are being taken.
Those delegated acts shall be adopted within one month after the Commission has ascertained that the criteria in point (a), (b) or (c) are met.
3.For the purposes of paragraph 2, the Commission shall take into account calls for the application of enhanced due diligence measures and additional mitigating measures (‘countermeasures’) by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing, as well as relevant evaluations, assessments, reports or public statements drawn up by them.
4.Where a third country is identified in accordance with the criteria referred to in paragraph 3, obliged entities shall apply enhanced due diligence measures listed in Article 28(4), points (a) to (g) with respect to the business relationships or occasional transactions involving natural or legal persons from that third country.
5.The delegated act referred to in paragraph 2 shall identify among the countermeasures listed in Article 29 the specific countermeasures mitigating country-specific risks stemming from high-risk third countries.
6.The Commission shall review the delegated acts referred to in paragraph 2 on a regular basis to ensure that the specific countermeasures identified pursuant to paragraph 5 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
Article 24
Identification of third countries with compliance weaknesses in their national AML/CFT regimes
1.Third countries with compliance weaknesses in their national AML/CFT regimes shall be identified by the Commission.
2.In order to identify the countries referred to in paragraph 1, the Commission is empowered to adopt delegated acts in accordance with Article 60 to supplement this Regulation, where:
(a)compliance weaknesses in the legal and institutional AML/CFT framework of the third country have been identified;
(b)compliance weaknesses in the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks have been identified.
Those delegated acts shall be adopted within one month after the Commission has ascertained that the criteria in point (a) or (b) are met.
3.The Commission, when drawing up the delegated acts referred to in paragraph 2 shall take into account information on jurisdictions under increased monitoring by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing, as well as relevant evaluations, assessments, reports or public statements drawn up by them.
4.The delegated act referred to in paragraph 2 shall identify the specific enhanced due diligence measures among those listed in Article 28(4), points (a) to (g), that obliged entities shall apply to mitigate risks related to business relationships or occasional transactions involving natural or legal persons from that third country.
5.The Commission shall review the delegated acts referred to in paragraph 2 on a regular basis to ensure that the specific enhanced due diligence measures identified pursuant to paragraph 4 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
Article 25
Identification of third countries posing a threat to the Union’s financial system
1.The Commission is empowered to adopt delegated acts in accordance with Article 60 identifying third countries that pose a specific and serious threat to the financial system of the Union and the proper functioning of the internal market other than those covered by Articles 23 and 24.
2.The Commission, when drawing up the delegated acts referred to in paragraph 1, shall take into account in particular the following criteria:
(a)the legal and institutional AML/CFT framework of the third country, in particular:
(i) the criminalisation of money laundering and terrorist financing;
(ii) measures relating to customer due diligence;
(iii) requirements relating to record-keeping;
(iv) requirements to report suspicious transactions;
(v) the availability of accurate and timely information of the beneficial ownership of legal persons and arrangements to competent authorities;
(b)the powers and procedures of the third country’s competent authorities for the purposes of combating money laundering and terrorist financing including appropriately effective, proportionate and dissuasive sanctions, as well as the third country’s practice in cooperation and exchange of information with Member States’ competent authorities;
(c)the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks;
3.For the purposes of determining the level of threat referred to in paragraph 1, the Commission may request AMLA to adopt an opinion aimed at assessing the specific impact on the integrity of the Union’s financial system due to the level of threat posed by a third country.
4.The Commission, when drawing up the delegated acts referred to in paragraph 1, shall take into account in particular relevant evaluations, assessments or reports drawn up by international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing.
5.Where the identified specific and serious threat from the concerned third country amounts to a significant strategic deficiency, Article 23(4) shall apply and the delegated act referred to in paragraph 2 shall identify specific countermeasures as referred to in Article 23(5).
6.Where the identified specific and serious threat from the concerned third country amounts to a compliance weakness, the delegated act referred to in paragraph 2 shall identify specific enhanced due diligence measures as referred to in Article 24(4).
7.The Commission shall review the delegated acts referred to in paragraph 2 on a regular basis to ensure that the measures referred to in paragraphs 5 and 6 take account of the changes in the AML/CFT framework of the third country and are proportionate and adequate to the risks.
Article 26
Guidelines on ML/TF risks, trends and methods
1.By [3 years from the date of entry into force of this Regulation], AMLA shall adopt guidelines defining the money laundering and terrorist financing trends, risks and methods involving any geographical area outside the Union to which obliged entities are exposed. AMLA shall take into account, in particular, the risk factors listed in Annex III. Where situations of higher risk are identified, the guidelines shall include enhanced due diligence measures that obliged entities shall consider applying to mitigate such risks.
2.AMLA shall review the guidelines referred to in paragraph 1 at least every two years.
3.In issuing and reviewing the guidelines referred to in paragraph 1, AMLA shall take into account evaluations, assessments or reports of international organisations and standard setters with competence in the field of preventing money laundering and combating terrorist financing.
SECTION 3
Simplified customer due diligence
Article 27
Simplified customer due diligence measures
1.Where, taking into account the risk factors set out in Annexes II and III, the business relationship or transaction present a low degree of risk, obliged entities may apply the following simplified customer due diligence measures:
(a)verify the identity of the customer and the beneficial owner after the establishment of the business relationship, provided that the specific lower risk identified justified such postponement, but in any case no later than 30 days of the relationship being established;
(a)reduce the frequency of customer identification updates;
(b)reduce the amount of information collected to identify the purpose and intended nature of the business relationship, or inferring it from the type of transactions or business relationship established ;
(c)reduce the frequency or degree of scrutiny of transactions carried out by the customer;
(d)apply any other relevant simplified due diligence measure identified by AMLA pursuant to Article 22.
The measures referred to in the first subparagraph shall be proportionate to the nature and size of the business and to the specific elements of lower risk identified. However, obliged entities shall carry out sufficient monitoring of the transactions and business relationship to enable the detection of unusual or suspicious transactions.
2.Obliged entities shall ensure that the internal procedures established pursuant to Article 7 contain the specific measures of simplified verification that shall be taken in relation to the different types of customers that present a lower risk. Obliged entities shall document decisions to take into account additional factors of lower risk.
3.For the purpose of applying simplified due diligence measures referred to in paragraph 1, point (a), obliged entities shall adopt risk management procedures with respect to the conditions under which they can provide services or perform transactions for a customer prior to the verification taking place, including by limiting the amount, number or types of transactions that can be performed or by monitoring transactions to ensure that they are in line with the expected norms for the business relationship at hand.
4.Obliged entities shall verify on a regular basis that the conditions for the application of simplified due diligence continue to exist. The frequency of such verifications shall be commensurate to the nature and size of the business and the risks posed by the specific relationship.
5.Obliged entities shall refrain from applying simplified due diligence measures in any of the following situations:
(a)the obliged entities have doubts as to the veracity of the information provided by the customer or the beneficial owner at the stage of identification, or they detect inconsistencies regarding that information;
(b)the factors indicating a lower risk are no longer present;
(c)the monitoring of the customer’s transactions and the information collected in the context of the business relationship exclude a lower risk scenario;
(d)there is a suspicion of money laundering or terrorist financing.
SECTION 4
Enhanced customer due diligence
Article 28
Scope of application of enhanced customer due diligence measures
1.In the cases referred to in Articles 23, 24, 25 and 30 to 36, as well as in other cases of higher risk that are identified by obliged entities pursuant to Article 16(2), second subparagraph (‘cases of higher risk’), obliged entities shall apply enhanced customer due diligence measures to manage and mitigate those risks appropriately.
2.Obliged entities shall examine the origin and destination of funds involved in, and the purpose of, all transactions that fulfil at least one of the following conditions:
(a)the transactions are of a complex nature;
(b)the transactions are unusually large;
(c)the transactions are conducted in an unusual pattern;
(d)the transactions do not have an apparent economic or lawful purpose.
3.With the exception of the cases covered by Section 2 of this Chapter, when assessing the risks of money laundering and terrorist financing posed by a business relationship or occasional transaction, obliged entities shall take into account at least the factors of potential higher risk set out in Annex III and the guidelines adopted by AMLA pursuant to Article 26.
4.With the exception of the cases covered by Section 2 of this Chapter, in cases of higher risk, obliged entities may apply any of the following enhanced customer due diligence measures, proportionate to the higher risks identified:
(a)obtain additional information on the customer and the beneficial owner(s);
(b)obtain additional information on the intended nature of the business relationship;
(c)obtain additional information on the source of funds, and source of wealth of the customer and of the beneficial owner(s);
(d)obtain information on the reasons for the intended or performed transactions and their consistency with the business relationship;
(e)obtain the approval of senior management for establishing or continuing the business relationship;
(f)conduct enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;
(g)require the first payment to be carried out through an account in the customer’s name with a credit institution subject to customer due diligence standards that are not less robust than those laid down in this Regulation.
5.With the exception of the cases covered by Section 2 of this Chapter, where Member States identify pursuant to Article 8 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] cases of higher risk, they may require obliged entities to apply enhanced due diligence measures and, where appropriate, specify those measures. Member States shall notify to the Commission and AMLA the enhanced due diligence requirements imposed upon obliged entities established in their territory within one month of their adoption, accompanied by a justification of the money laundering and terrorist financing risks underpinning such decision.
Where the risks identified by the Member States pursuant to the first subparagraph are likely to affect the financial system of the Union, AMLA shall, upon a request from the Commission or of its own initiative, consider updating the guidelines adopted pursuant to Article 26.
6.Enhanced customer due diligence measures shall not be invoked automatically with respect to branches or subsidiaries of obliged entities established in the Union which are located third countries referred to in Articles 23, 24 and 25 where those branches or subsidiaries fully comply with the group-wide policies, controls and procedures in accordance with Article 14.
Article 29
Countermeasures to mitigate ML/TF threats from outside the Union
For the purposes of Articles 23 and 25, the Commission may choose from among the following countermeasures:
(a)countermeasures that obliged entities are to apply to persons and legal entities involving high-risk third countries and, where relevant, other countries posing a threat to the Union’s financial system consisting in:
(i) the application of additional elements of enhanced due diligence;
(ii) the introduction of enhanced relevant reporting mechanisms or systematic reporting of financial transactions;
(iii) the limitation of business relationships or transactions with natural persons or legal entities from those third countries;
(b)countermeasures that Member States are to apply with regard to high-risk third countries and, where relevant, other countries posing a threat to the Union’s financial system consisting in:
(i) refusing the establishment of subsidiaries or branches or representative offices of obliged entities from the country concerned, or otherwise taking into account the fact that the relevant obliged entity is from a third country that does not have adequate AML/CFT regimes;
(ii) prohibiting obliged entities from establishing branches or representative offices of obliged entities in the third country concerned, or otherwise taking into account the fact that the relevant branch or representative office would be in a third country that does not have adequate AML/CFT regimes;
(iii) requiring increased supervisory examination or increased external audit requirements for branches and subsidiaries of obliged entities located in the third country concerned;
(iv) requiring increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in the third country concerned;
(v) requiring credit and financial institutions to review and amend, or if necessary terminate, correspondent relationships with respondent institutions in the third country concerned.
Article 30
Specific enhanced due diligence measures for cross-border correspondent relationships
With respect to cross-border correspondent relationships, including relationships established for securities transactions or fund transfers, involving the execution of payments with a third-country respondent institution, in addition to the customer due diligence measures laid down in Article 16, credit institutions and financial institutions shall be required, when entering into a business relationship, to:
(a)gather sufficient information about the respondent institution to understand fully the nature of the respondent's business and to determine from publicly available information the reputation of the institution and the quality of supervision;
(b)assess the respondent institution's AML/CFT controls;
(c)obtain approval from senior management before establishing new correspondent relationships;
(d)document the respective responsibilities of each institution;
(e)with respect to payable-through accounts, be satisfied that the respondent institution has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent institution, and that it is able to provide relevant customer due diligence data to the correspondent institution, upon request.
Where credit institutions and financial institutions decide to terminate cross-border correspondent relationships for reasons relating to anti-money laundering and counter-terrorist financing policy, they shall document their decision.
Article 31
Prohibition of correspondent relationships with shell banks
Credit institutions and financial institutions shall not enter into, or continue, a correspondent relationship with a shell bank. Credit institutions and financial institutions shall take appropriate measures to ensure that they do not engage in or continue correspondent relationships with a credit institution or financial institution that is known to allow its accounts to be used by a shell bank.
Article 32
Specific provisions regarding politically exposed persons
1.In addition to the customer due diligence measures laid down in Article 16, obliged entities shall have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person.
2.With respect to transactions or business relationships with politically exposed persons, obliged entities shall apply the following measures:
(a)obtain senior management approval for establishing or continuing business relationships with politically exposed persons;
(b)take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with politically exposed persons;
(c)conduct enhanced, ongoing monitoring of those business relationships.
3.By [3 years from the date of entry into force of this Regulation], AMLA shall issue guidelines on the following matters:
(a)the criteria for the identification of persons falling under the definition of persons known to be a close associate;
(b)the level of risk associated with a particular category of politically exposed person, their family members or persons known to be close associates, including guidance on how such risks are to be assessed after the person no longer holds a prominent public function for the purposes of Article 35.
Article 33
List of prominent public functions
1.Each Member State shall issue and keep up to date a list indicating the exact functions which, in accordance with national laws, regulations and administrative provisions, qualify as prominent public functions for the purposes of Article 2, point (25). Member States shall request each international organisation accredited on their territories to issue and keep up to date a list of prominent public functions at that international organisation for the purposes of Article 2, point (25). These lists shall also include any function which may be entrusted to representatives of third countries and of international bodies accredited at Member State level. Member States shall notify those lists, as well as any change made to them, to the Commission and to AMLA.
2.The Commission shall draw up and keep up to date the list of the exact functions which qualify as prominent public functions at the level of the Union. That list shall also include any function which may be entrusted to representatives of third countries and of international bodies accredited at Union level.
3.The Commission shall assemble, based on the lists provided for in paragraphs 1 and 2 of this Article, a single list of all prominent public functions for the purposes of Article 2, point (25). The Commission shall publish that single list shall in the Official Journal of the European Union. AMLA shall make the list public on its website.
Article 34
Politically exposed persons who are beneficiaries of insurance policies
Obliged entities shall take reasonable measures to determine whether the beneficiaries of a life or other investment-related insurance policy or, where relevant, the beneficial owner of the beneficiary are politically exposed persons. Those measures shall be taken no later than at the time of the payout or at the time of the assignment, in whole or in part, of the policy. Where there are higher risks identified, in addition to applying the customer due diligence measures laid down in Article 16, obliged entities shall:
(a)inform senior management before payout of policy proceeds;
(b)conduct enhanced scrutiny of the entire business relationship with the policyholder.
Article 35
Measures towards persons who cease to be politically exposed persons
1.Where a politically exposed person is no longer entrusted with a prominent public function by the Union, a Member State, third country or an international organisation, obliged entities shall take into account the continuing risk posed by that person in their assessment of money laundering and terrorist financing risks in accordance with Article 16.
2.Obliged entities shall apply one or more of the measures referred to in Article 28(4) to mitigate the risks posed by the business relationship, until such time as that person is deemed to pose no further risk, but in any case for not less than 12 months following the time when the individual is no longer entrusted with a prominent public function.
3.The obligation referred to in paragraph 2 shall apply accordingly where an obliged entity enters into a business relationship with a person who in the past was entrusted with a prominent public function by the Union, a Member State, third country or an international organisation.
Article 36
Family members and close associates of politically exposed persons
The measures referred to in Articles 32, 34 and 35 shall also apply to family members or persons known to be close associates of politically exposed persons.
SECTION 5
Specific customer due diligence provisions
Article 37
Specifications for the life and other investment-related insurance sector
For life or other investment-related insurance business, in addition to the customer due diligence measures required for the customer and the beneficial owner, obliged entities shall conduct the following customer due diligence measures on the beneficiaries of life insurance and other investment-related insurance policies, as soon as the beneficiaries are identified or designated:
(a)in the case of beneficiaries that are identified as specifically named persons or legal arrangements, taking the name of the person or arrangement;
(b)in the case of beneficiaries that are designated by characteristics or by class or by other means, obtaining sufficient information concerning those beneficiaries so that it will be able to establish the identity of the beneficiary at the time of the payout.
For the purposes of the first subparagraph, points (a) and (b), the verification of the identity of the beneficiaries and, where relevant, their beneficial owners shall take place at the time of the payout. In the case of assignment, in whole or in part, of the life or other investment-related insurance to a third party, obliged entities aware of the assignment shall identify the beneficial owner at the time of the assignment to the natural or legal person or legal arrangement receiving for its own benefit the value of the policy assigned.
SECTION 6
Performance by third parties
Article 38
General provisions relating to reliance on other obliged entities
1.Obliged entities may rely on other obliged entities, whether situated in a Member State or in a third country, to meet the customer due diligence requirements laid down in Article 16(1), points (a), (b) and (c), provided that:
(a)the other obliged entities apply customer due diligence requirements and record-keeping requirements laid down in this Regulation, or equivalent when the other obliged entities are established or reside in a third country;
(b)compliance with AML/CFT requirements by the other obliged entities is supervised in a manner consistent with Chapter IV of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
The ultimate responsibility for meeting the customer due diligence requirements shall remain with the obliged entity which relies on another obliged entity.
2.When deciding to rely on other obliged entities situated in third countries, obliged entities shall take into consideration the geographical risk factors listed in Annexes II and III and any relevant information or guidance provided by the Commission, or by AMLA or other competent authorities.
3.In the case of obliged entities that are part of a group, compliance with the requirements of this Article and with Article 39 may be ensured through group-wide policies, controls and procedures provided that all the following conditions are met:
(a)the obliged entity relies on information provided solely by an obliged entity that is part of the same group;
(b)the group applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countries;
(c)the effective implementation of the requirements referred to in point (b) is supervised at group level by the supervisory authority of the home Member State in accordance with Chapter IV of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] or of the third country in accordance with the rules of that third country.
4.Obliged entities shall not rely on obliged entities established in third countries identified pursuant to Section 2 of this Chapter. However, obliged entities established in the Union whose branches and subsidiaries are established in those third countries may rely on those branches and subsidiaries, where all the conditions set out in paragraph 3, points (a) to (c), are met.
Article 39
Process of reliance on another obliged entity
1.Obliged entities shall obtain from the obliged entity relied upon all the necessary information concerning the customer due diligence requirements laid down in Article 16(1), first subparagraph points (a), (b) and (c), or the business being introduced.
2.Obliged entities which rely on other obliged entities shall take all necessary steps to ensure that the obliged entity relied upon provides, upon request:
(a)copies of the information collected to identify the customer;
(b)all supporting documents or trustworthy sources of information that were used to verify the identity of the client, and, where relevant, of the customer’s beneficial owners or persons on whose behalf the customer acts, including data obtained through electronic identification means and relevant trust services as set out in Regulation (EU) No 910/2014; and
(c)any information collected on the purpose and intended nature of the business relationship.
3.The information referred to in paragraphs 1 and 2 shall be provided by the obliged entity relied upon without delay and in any case within five working days.
4.The conditions for the transmission of the information and documents mentioned in paragraphs 1 and 2 shall be specified in a written agreement between the obliged entities.
5.Where the obliged entity relies on an obliged entity that is part of its group, the written agreement may be replaced by an internal procedure established at group level, provided that the conditions of Article 38(2) are met.
Article 40
Outsourcing
1.Obliged entities may outsource tasks deriving from requirements under this Regulation for the purpose of performing customer due diligence to an agent or external service provider, whether a natural or legal person, with the exception of natural or legal persons residing or established in third countries identified pursuant to Section 2 of this Chapter.
The obliged entity shall remain fully liable for any action of agents or external service providers to which activities are outsourced.
2.The tasks outsourced pursuant to paragraph 1 shall not be undertaken in such way as to impair materially the quality of the obliged entity’s measures and procedures to comply with the requirements of this Regulation and of Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final]. The following tasks shall not be outsourced under any circumstances:
(a)the approval of the obliged entity’s risk assessment;
(b)the internal controls in place pursuant to Article 7;
(c)the drawing up and approval of the obliged entity’s policies, controls and procedures to comply with the requirements of this Regulation;
(d)the attribution of a risk profile to a prospective client and the entering into a business relationship with that client;
(e)the identification of criteria for the detection of suspicious or unusual transactions and activities;
(f)the reporting of suspicious activities or threshold-based declarations to the FIU pursuant to Article 50.
3.Where an obliged entity outsources a task pursuant to paragraph 1, it shall ensure that the agent or external service provider applies the measures and procedures adopted by the obliged entity. The conditions for the performance of such tasks shall be laid down in a written agreement between the obliged entity and the outsourced entity. The obliged entity shall perform regular controls to ascertain the effective implementation of such measures and procedures by the outsourced entity. The frequency of such controls shall be determined on the basis of the critical nature of the tasks outsourced.
4.Obliged entities shall ensure that outsourcing is not undertaken in such way as to impair materially the ability of the supervisory authorities to monitor and retrace the obliged entity’s compliance with all of the requirements laid down in this Regulation.
Article 41
Guidelines on the performance by third parties
By [3 years after the entry into force of this Regulation], AMLA shall issue guidelines addressed to obliged entities on:
(a)the conditions which are acceptable for obliged entities to rely on information collected by another obliged entity, including in case of remote customer due diligence;
(b)the establishment of outsourcing relationships in accordance with Article 40, their governance and procedures for monitoring the implementation of functions by the outsourced entities, and in particular those functions that are to be regarded as critical;
(c)the roles and responsibility of each actor, whether in a situation of reliance on another obliged entity or of outsourcing;
(d)supervisory approaches to reliance on other obliged entities and outsourcing.
CHAPTER IV
BENEFICIAL OWNERSHIP TRANSPARENCY
Article 42
Identification of Beneficial Owners for corporate and other legal entities
1.In case of corporate entities, the beneficial owner(s) as defined in Article 2(22) shall be the natural person(s) who control(s), directly or indirectly, the corporate entity, either through an ownership interest or through control via other means.
For the purpose of this Article, ‘control through an ownership interest’ shall mean an ownership of 25% plus one of the shares or voting rights or other ownership interest in the corporate entity, including through bearer shareholdings, on every level of ownership.
For the purpose of this Article, ‘control via other means’ shall include at least one of the following:
(a)the right to appoint or remove more than half of the members of the board or similar officers of the corporate entity;
(b)the ability to exert a significant influence on the decisions taken by the corporate entity, including veto rights, decision rights and any decisions regarding profit distributions or leading to a shift in assets;
(c)control, whether shared or not, through formal or informal agreements with owners, members or the corporate entities, provisions in the articles of association, partnership agreements, syndication agreements, or equivalent documents depending on the specific characteristics of the legal entity, as well as voting arrangements;
(d)links with family members of managers or directors/those owning or controlling the corporate entity;
(e)use of formal or informal nominee arrangements.
Control via other means may be determined also in accordance with the criteria of Article 22(1) to (5) of Directive 2013/34/EU.
2.In case of legal entities other than corporate entities, the beneficial owner(s) as defined in Article 2(22) shall be the natural person identified according to paragraph 1 of this Article, except where Article 43(2) applies.
3.Member States shall notify to the Commission by [3 months from the date of application of this Regulation] a list of the types of corporate and other legal entities existing under their national laws with beneficial owner(s) identified in accordance with paragraph 1. The notification shall include the specific categories of entities, description of characteristics, names and, where applicable, legal basis under the national laws of the Member States. It shall also include an indication of whether, due to the specific form and structures of legal entities other than corporate entities, the mechanism under Article 45(3) applies, accompanied by a detailed justification of the reasons for that.
4.The Commission shall make recommendations to Member States on the specific rules and criteria to identity the beneficial owner(s) of legal entities other than corporate entities by [1 year from the date of application of this Regulation]. In the event that Member States decide not to apply any of the recommendations, they shall notify the Commission thereof and provide a justification for such a decision.
5.The provisions of this Chapter shall not apply to:
(a)companies listed on a regulated market that is subject to disclosure requirements consistent with Union legislation or subject to equivalent international standards; and
(b)bodies governed by public law as defined under Article 2(1), point (4) of Directive 2014/24/EU of the European Parliament and of the Council.
Article 43
Identification of beneficial owners for express trusts and similar legal entities or arrangements
1.In case of express trusts, the beneficial owners shall be all the following natural persons:
(a)the settlor(s);
(b)the trustee(s);
(c)the protector(s), if any;
(d)the beneficiaries or where there is a class of beneficiaries, the individuals within that class that receive a benefit from the legal arrangement or entity , irrespective of any threshold, as well as the class of beneficiaries. However, in the case of pension schemes within the scope of Directive (EU) 2016/2341 of the European Parliament and of the Council and which provide for a class of beneficiaries, only the class of beneficiaries shall be the beneficiary;
(e)any other natural person exercising ultimate control over the express trust by means of direct or indirect ownership or by other means, including through a chain of control or ownership.
2.In the case of legal entities and legal arrangements similar to express trusts, the beneficial owners shall be the natural persons holding equivalent or similar positions to those referred to under paragraph 1.
Member States shall notify to the Commission by [3 months from the date of application of this Regulation] a list of legal arrangements and of legal entities, similar to express trusts, where the beneficial owner(s) is identified in accordance with paragraph 1.
3.The Commission is empowered to adopt, by means of an implementing act, a list of legal arrangements and legal entities governed under the laws of Member States which should be subject to the same beneficial ownership transparency requirements as express trusts. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 61(2) of this Regulation.
Article 44
Beneficial ownership information
1.For the purpose of this Regulation, beneficial ownership information shall be adequate, accurate, and current and include the following:
(a)the first name and surname, full place and date of birth, residential address, country of residence and nationality or nationalities of the beneficial owner, national identification number and source of it, such as passport or national identity document, and, where applicable, the tax identification number or other equivalent number assigned to the person by his or her country of usual residence;
(b)the nature and extent of the beneficial interest held in the legal entity or legal arrangement, whether through ownership interest or control via other means, as well as the date of acquisition of the beneficial interest held;
(c)information on the legal entity or legal arrangement of which the natural person is the beneficial owner in accordance with Article 16(1) point (b), as well as the description of the control and ownership structure.
2.Beneficial ownership information shall be obtained within 14 calendar days from the creation of legal entities or legal arrangements. It shall be updated promptly, and in any case no later than 14 calendar days following any change of the beneficial owner(s), and on an annual basis.
Article 45
Obligations of legal entities
1.All corporate and other legal entities incorporated in the Union shall obtain and hold adequate, accurate and current beneficial ownership information.
Legal entities shall provide, in addition to information about their legal owner(s), information on the beneficial owner(s) to obliged entities where the obliged entities are taking customer due diligence measures in accordance with Chapter III.
The beneficial owner(s) of corporate or other legal entities shall provide those entities with all the information necessary for the corporate or other legal entity.
2.Where, after having exhausted all possible means of identification pursuant to Articles 42 and 43, no person is identified as beneficial owner, or where there is any doubt that the person(s) identified is the beneficial owner(s), the corporate or other legal entities shall keep records of the actions taken in order to identify their beneficial owner(s).
3.In the cases referred to in paragraph 2, when providing beneficial ownership information in accordance with Article 16 of this Regulation and Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final], corporate or other legal entities shall provide the following:
(a)a statement, accompanied by a justification, that there is no beneficial owner or that the beneficial owner(s) could not be identified and verified;
(b)the details on the natural person(s) who hold the position of senior managing official(s) in the corporate or legal entity equivalent to the information required under Article 44(1), point (a).
4.Legal entities shall make the information collected pursuant to this Article available, upon request and without delay, to competent authorities.
5.The information referred to in paragraph 4 shall be maintained for five years after the date on which the companies are dissolved or otherwise ceases to exist, whether by persons designated by the entity to retain the documents, or by administrators or liquidators or other persons involved in the dissolution of the entity. The identity and contact details of the person responsible for retaining the information shall be reported to the registers referred to in Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
Article 46
Trustees obligations
1.Trustees of any express trust administered in a Member State and persons holding an equivalent position in a similar legal arrangement shall obtain and hold adequate, accurate and current beneficial ownership information regarding the legal arrangement. Such information shall be maintained for five years after their involvement with the express trust or similar legal arrangement ceases.
2.The persons referred to in paragraph 1 shall disclose their status and provide the information on the beneficial owner(s) to obliged entities when the obliged entities are taking customer due diligence measures in accordance with Chapter III.
3.The beneficial owner(s) of an express trust or similar legal arrangement other than the trustee or person holding an equivalent position, shall provide the trustee or person holding an equivalent position in a similar legal arrangement with all the information necessary to comply with the requirements of this Chapter.
4.Trustees of an express trust and persons holding an equivalent position in a similar legal arrangement shall make the information collected pursuant to this Article available, upon request and without delay, to competent authorities.
Article 47
Nominees obligations
Nominee shareholders and nominee directors of a corporate or other legal entities shall maintain adequate, accurate and current information on the identity of their nominator and the nominator’s beneficial owner(s) and disclose them, as well as their status, to the corporate or other legal entities. Corporate or other legal entities shall report this information to the registers set up pursuant to Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
Corporate and other legal entities shall also report this information to obliged entities when the obliged entities are taking customer due diligence measures in accordance with Chapter III.
Article 48
Foreign legal entities and arrangements
1.Beneficial ownership information of legal entities incorporated outside the Union or of express trusts or similar legal arrangements administered outside the Union shall be held in the central register referred to in Article 10 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] set up by the Member State where such entities or trustees of express trusts or persons holding equivalent positions in similar legal arrangements:
(a)enter into a business relationship with an obliged entity;
(b)acquire real estate in their territory.
2.Where the legal entity, the trustee of the express trust or the person holding an equivalent position in a similar legal arrangement enters into multiple business relationships or acquires real estate in different Member States, a certificate of proof of registration of the beneficial ownership information in a central register held by one Member State shall be considered as sufficient proof of registration.
Article 49
Sanctions
Member States shall lay down the rules on sanctions applicable to infringements of the provisions of this Chapter and shall take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.
Member States shall notify those rules on sanctions by [6 months after the entry into force of this Regulation] to the Commission together with their legal basis and shall notify it without delay of any subsequent amendment affecting them.
CHAPTER V
REPORTING OBLIGATIONS
Article 50
Reporting of suspicious transactions
1.Obliged entities shall report to the FIU all suspicious transactions, including attempted transactions.
Obliged entities, and, where applicable, their directors and employees, shall cooperate fully by promptly:
(a)reporting to the FIU, on their own initiative, where the obliged entity knows, suspects or has reasonable grounds to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, and by responding to requests by the FIU for additional information in such cases;
(b)providing the FIU directly, at its request, with all necessary information.
For the purposes of points (a) and (b), obliged entities shall reply to a request for information by the FIU within 5 days. In justified and urgent cases, FIUs shall be able to shorten such a deadline to 24 hours.
2.For the purposes of paragraph 1, obliged entities shall assess transactions identified pursuant to Article 20 as atypical in order to detect those that can be suspected of being linked to money laundering or terrorist financing.
A suspicion is based on the characteristics of the customer, the size and nature of the transaction or activity, the link between several transactions or activities and any other circumstance known to the obliged entity, including the consistency of the transaction or activity with the risk profile of the client.
3.By [two years after entry into force of this Regulation], AMLA shall develop draft implementing technical standards and submit them to the Commission for adoption. Those draft implementing technical standards shall specify the format to be used for the reporting of suspicious transactions pursuant to paragraph 1.
4.The Commission is empowered to adopt the implementing technical standards referred to in paragraph 3 of this Article in accordance with Article 42 of Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].
5.AMLA shall issue and periodically update guidance on indicators of unusual or suspicious activity or behaviours.
6.The person appointed in accordance with Article 9(3) shall transmit the information referred to in paragraph 1 of this Article to the FIU of the Member State in whose territory the obliged entity transmitting the information is established.
Article 51
Specific provisions for reporting of suspicious transactions by certain categories of obliged entities
1.By way of derogation from Article 50(1), Member States may allow obliged entities referred to in Article 3, point (3)(a), (b) and (d) to transmit the information referred to in Article 50(1) to a self-regulatory body designated by the Member State.
The designated self-regulatory body shall forward the information referred to in the first sub-paragraph to the FIU promptly and unfiltered.
2.Notaries, lawyers and other independent legal professionals, auditors, external accountants and tax advisors shall be exempted from the requirements laid down in Article 50(1) to the extent that such exemption relates to information that they receive from, or obtain on, one of their clients, in the course of ascertaining the legal position of their client, or performing their task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, whether such information is received or obtained before, during or after such proceedings.
Article 52
Consent by FIU to the performance of a transaction
1.Obliged entities shall refrain from carrying out transactions which they know or suspect to be related to proceeds of criminal activity or to terrorist financing until they have completed the necessary action in accordance with Article 50(1), second subparagraph, point (a), and have complied with any further specific instructions from the FIU or other competent authority in accordance with the applicable law.
2.Where refraining from carrying out transactions referred to in paragraph 1 is impossible or is likely to frustrate efforts to pursue the beneficiaries of a suspected transaction, the obliged entities concerned shall inform the FIU immediately afterwards.
Article 53
Disclosure to FIU
Disclosure of information in good faith by an obliged entity or by an employee or director of such an obliged entity in accordance with Articles 50 and 51 shall not constitute a breach of any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and shall not involve the obliged entity or its directors or employees in liability of any kind even in circumstances where they were not precisely aware of the underlying criminal activity and regardless of whether illegal activity actually occurred.
Article 54
Prohibition of disclosure
1.Obliged entities and their directors and employees shall not disclose to the customer concerned or to other third persons the fact that information is being, will be or has been transmitted in accordance with Article 50 or 51 or that a money laundering or terrorist financing analysis is being, or may be, carried out.
2.Paragraph 1 shall not apply to disclosures to competent authorities and to self-regulatory bodies where they perform supervisory functions, or to disclosure for the purposes of investigating and prosecuting money laundering, terrorist financing and other criminal activity.
3.By way of derogation from paragraph 1, disclosure may take place between the obliged entities that belong to the same group, or between those entities and their branches and subsidiaries established in third countries, provided that those branches and subsidiaries fully comply with the group-wide policies and procedures, including procedures for sharing information within the group, in accordance with Article 13, and that the group-wide policies and procedures comply with the requirements set out in this Regulation.
4.By way of derogation from paragraph 1, disclosure may take place between the obliged entities as referred to in Article 3, point (3)(a) and (b), or entities from third countries which impose requirements equivalent to those laid down in this Regulation, who perform their professional activities, whether as employees or not, within the same legal person or a larger structure to which the person belongs and which shares common ownership, management or compliance control, including networks or partnerships.
5.For obliged entities referred to in Article 3, points (1), (2), (3)(a) and (b), in cases relating to the same customer and the same transaction involving two or more obliged entities, and by way of derogation from paragraph 1, disclosure may take place between the relevant obliged entities provided that they are located in the Union, or with entities in a third country which imposes requirements equivalent to those laid down in this Regulation, and that they are from the same category of obliged entities and are subject to professional secrecy and personal data protection requirements.
6.Where the obliged entities referred to in Article 3, point (3)(a) and (b), seek to dissuade a client from engaging in illegal activity, that shall not constitute disclosure within the meaning of paragraph 1.
CHAPTER VI
DATA PROTECTION AND RECORD-RETENTION
Article 55
Processing of certain categories of personal data
1.To the extent that it is strictly necessary for the purposes of preventing money laundering and terrorist financing, obliged entities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to the safeguards provided for in paragraphs 2 and 3.
2.Obliged entities shall be able to process personal data covered by Article 9 of Regulation (EU) 2016/679 provided that:
(a)obliged entities inform their customers or prospective customers that such categories of data may be processed for the purpose of complying with the requirements of this Regulation;
(b)the data originate from reliable sources, are accurate and up-to-date;
(c)the obliged entity adopts measures of a high level of security in accordance with Article 32 of Regulation (EU) 2016/679, in particular in terms of confidentiality.
3.In addition to paragraph 2, obliged entities shall be able to process personal data covered by Article 10 of Regulation (EU) 2016/679 provided that:
(a)such personal data relate to money laundering, its predicate offences or terrorist financing;
(b)the obliged entities have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence.
4.Personal data shall be processed by obliged entities on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.
Article 56
Record retention
1.Obliged entities shall retain the following documents and information in accordance with national law for the purpose of preventing, detecting and investigating, by the FIU or by other competent authorities, possible money laundering or terrorist financing:
(a)a copy of the documents and information obtained in the performance of customer due diligence pursuant to Chapter III, including information obtained through electronic identification means, and the results of the analyses undertaken pursuant to Article 50;
(b)the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions.
2.By way of derogation from paragraph 1, obliged entities may decide to replace the retention of copies of the information by a retention of the references to such information, provided that the nature and method of retention of such information ensure that the obliged entities can provide immediately to competent authorities the information and that the information cannot be modified or altered.
Obliged entities making use of the derogation referred to in the first subparagraph shall define in their internal procedures drawn up pursuant to Article 7, the categories of information for which they will retain a reference instead of a copy or original, as well as the procedures for retrieving the information so that it can be provided to competent authorities upon request.
3.The information referred to in paragraphs 1 and 2 shall be retained for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction. Upon expiry of that retention period, obliged entities shall delete personal data.
The retention period referred to in the first subparagraph shall also apply in respect of the data accessible through the centralised mechanisms referred to in Article 14 of Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final].
4.Where, on [the date of application of this Regulation], legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and an obliged entity holds information or documents relating to those pending proceedings, the obliged entity may retain that information or those documents, in accordance with national law, for a period of five years from [the date of application of this Regulation].
Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of five years where the necessity and proportionality of such further retention have been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.
Article 57
Provision of records to competent authorities
Obliged entities shall have systems in place that enable them to respond fully and speedily to enquiries from their FIU or from other competent authorities, in accordance with their national law, as to whether they are maintaining or have maintained, during a five-year period prior to that enquiry a business relationship with specified persons, and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.
CHAPTER VII
Measures to mitigate risks deriving from anonymous instruments
Article 58
Anonymous accounts and bearer shares and bearer share warrants
1.Credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset wallets as well as any account otherwise allowing for the anonymisation of the customer account holder.
Owners and beneficiaries of existing anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or crypto-asset wallets shall be subject to customer due diligence measures before those accounts, passbooks, deposit boxes or crypto-asset wallets are used in any way.
2.Credit institutions and financial institutions acting as acquirers shall not accept payments carried out with anonymous prepaid cards issued in third countries, unless otherwise provided in the regulatory technical standards adopted by the Commission in accordance with Article 22 on the basis of a proven low risk.
3.Companies shall be prohibited from issuing bearer shares, and shall convert all existing bearer shares into registered shares by [2 years after the date of application of this Regulation]. However, companies with securities listed on a regulated market or whose shares are issued as intermediated securities shall be permitted to maintain bearer shares.
Companies shall be prohibited from issuing bearer share warrants that are not in intermediated form.
Article 59
Limits to large cash payments
1.Persons trading in goods or providing services may accept or make a payment in cash only up to an amount of EUR 10 000 or equivalent amount in national or foreign currency, whether the transaction is carried out in a single operation or in several operations which appear to be linked.
2.Member States may adopt lower limits following consultation of the European Central Bank in accordance with Article 2(1) of Council Decision 98/415/EC. Those lower limits shall be notified to the Commission within 3 months of the measure being introduced at national level.
3.When limits already exist at national level which are below the limit set out in paragraph 1, they shall continue to apply. Member States shall notify those limits within 3 months of the entry into force of this Regulation.
4.The limit referred to in paragraph 1 shall not apply to:
(a)payments between natural persons who are not acting in a professional function;
(b)payments or deposits made at the premises of credit institutions. In such cases, the credit institution shall report the payment or deposit above the limit to the FIU.
5.Member States shall ensure that appropriate measures, including sanctions, are taken against natural or legal persons acting in their professional capacity which are suspected of a breach of the limit set out in paragraph 1, or of a lower limit adopted by the Member States.
6.The overall level of the sanctions shall be calculated, in accordance with the relevant provisions of national law, in such way as to produce results proportionate to the seriousness of the infringement, thereby effectively discouraging further offences of the same kind.
CHAPTER VIII
FINAL PROVISIONS
Article 60
Delegated acts
1.The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2.The power to adopt delegated acts referred to in Articles 23, 24 and 25 shall be conferred on the Commission for an indeterminate period of time from [date of entry into force of this Regulation].
3.The power to adopt delegated acts referred to in Articles 23, 24 and 25 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4.Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5.As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6.A delegated act adopted pursuant to Articles 23, 24 and 25 shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of one month of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by one month at the initiative of the European Parliament or of the Council.
Article 61
Committee
1.The Commission shall be assisted by the Committee on the Prevention of Money Laundering and Terrorist Financing established by Article 28 of Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final]. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council.
2.Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 62
Review
By [5 years from the date of application of this Regulation], and every three years thereafter, the Commission shall present a report to the European Parliament and to the Council on the application of this Regulation.
Article 63
Reports
By [3 years from the date of application of this Regulation], the Commission shall present reports to the European Parliament and to the Council assessing the need and proportionality of:
(a)lowering the percentage for the identification of beneficial ownership of legal entities;
(b)further lowering the limit for large cash payments.
Article 64
Relation to Directive 2015/849
References to Directive (EU) 2015/849 shall be construed as references to this Regulation and to Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final] and read in accordance with the correlation table set out in Annex IV.
Article 65
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from [3 years from its date of entry into force].
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the European Parliament
For the Council
The President
The President