PwC discusses AML Global Alignment: Two Steps Forward, One Step Back

The fourth and latest iteration of the EU’s anti-money laundering directive (AMLD IV) was published on June 5th, after clearing its last legislative stop at the European Parliament. The new directive brings the EU’s anti-money laundering laws more in line with the US’s, which is welcome news for financial institutions that are operating in both jurisdictions. However, in a few areas, the directive establishes requirements that go beyond US regulations and common market practices, and could be costly to implement.

Recent enforcement actions against financial institutions highlight the importance of compliance with anti-money laundering (AML) and terrorism financing regulations. These actions are evidence that despite the progress made in mitigating AML risks and rooting out prior misconduct, financial institutions are still falling short of regulators’ expectations. Lack of harmonization in AML requirements between the US and EU has further complicated the compliance efforts of global institutions that are looking to standardize the Know Your Customer (KYC) component of their AML programs across key jurisdictions.

AMLD IV promises to better align the EU’s AML regime with the US’s by adopting a more risk-based approach compared to its predecessor. Certain components of the regulation, however, go beyond current requirements in both the EU and US. For instance, more public officials are brought within the scope of the directive, and EU member states are required to establish new registries of “beneficial owners” (i.e., those who ultimately own or control each company) which will impact banks. Thus, while AMLD IV is a step in the right direction for global harmonization, it will pose new implementation challenges.

The directive will become effective on June 25th (twenty days after its publication in the EU’s official journal). EU member states will then have two years to implement the directive’s requirements on a national level. Importantly, the directive imposes minimum requirements, which may be augmented by EU national regulators. Therefore, even within the EU, full harmonization remains an open question.

This post provides (a) pertinent background on EU and US AML regulations, (b) an analysis of major changes that are introduced in AMLD IV, and (c) our view of what global banks operating in the EU should be doing now.

Background

In 1989 the Financial Action Task Force (FATF) was established in the EU with the goal of harmonizing AML laws and regulations globally. Subsequently, the EU’s first AMLD was passed into law in 1991, based on recommendations (e.g., for transaction recordkeeping and reporting) made by the FATF. The directive has been updated twice since, in 1999 and in 2005, in response to the evolving nature of money laundering and terrorism financing threats. Its most recent iteration, AMLD IV (initially proposed in 2013), continues this trend by adopting a more risk-based compliance approach which is more consistent with the approach taken in the US.

The US AML framework was first established in 1970 under the Foreign Currency and Transaction Reporting Act of 1970, commonly known as the Bank Secrecy Act (BSA), which required transaction record keeping and reporting by private individuals, banks, and other financial institutions, among other provisions. Similar to the EU’s AMLD, the US AML framework has since been enhanced via multiple amendments and laws. The most significant of these enhancements was the USA PATRIOT Act of 2001 (USAPA), which takes a risk-based approach to AML by, e.g., subjecting customers that are considered high risk (such as foreign private banking and foreign correspondent customers) to enhanced due diligence.

AMLD IV – Key changes

The latest EU directive enhances the previous iteration (i.e., AMLD III) by (a) expanding the scope of its risk-based approach, (b) putting the onus on the financial institutions to determine when customers are eligible for simplified due diligence, (c) broadening the definition of “politically exposed persons” (i.e., those who occupy prominent public functions that could be abused for money laundering or terrorism financing purposes) thus requiring careful monitoring of more such individuals, and (d) imposing new requirements with respect to tracking beneficial owners.

A risk-based approach to compliance

AMLD IV expands the scope of the risk-based approach of AMLD III. Whereas AMLD III detailed its risk-based approach for identifying politically exposed persons (PEPs) and beneficial owners, AMLD IV broadens this approach beyond these categories and requires an evidence-based assessment of virtually all risks associated with money laundering and terrorism financing. Under AMLD IV, financial institutions are therefore expected to assess their exposure to each relevant risk, and to take risk mitigation measures that are commensurate with this assessment.

The risk-based approach in AMLD IV better aligns the EU’s AML framework with the US’s by seeking to ensure that higher risk customer categories are properly identified and addressed.

Simplified due diligence

Under AMLD III, financial institutions could perform a simplified form of due diligence on specific categories of customers that generally pose lower money laundering or terrorism financing risk (e.g., regulated banks). In order to prevent financial institutions from merely relying on specific categories (without performing further risk assessment), AMLD IV requires banks to determine simplified due diligence eligibility based on their own assessment of each customer’s risk profile.  To assist with this process, EU supervisory authorities (ESAs)[1] are expected to provide guidance on risk factors to be considered in determining simplified due diligence eligibility.

US banks have already been taking a somewhat similar approach to AMLD IV’s by utilizing an exemption under US regulations with regards to the identification and verification of similar customer-types and the risks they pose. Therefore, although AMLD IV’s simplified due diligence may appear to be a significant compliance challenge for US firms, these banks’ experience with the US exemption can be leveraged to bring their EU operations into conformance with the new directive.

More public officials brought under the umbrella

Due to potential risks associated with PEPs, financial institutions are required to apply additional risk mitigation measures with respect to business relationships with PEPs. AMLD III limited the PEP definition to cover only customers who reside outside the local jurisdiction. AMLD IV expands this definition by requiring that financial institutions consider domestic persons for PEP designation as well. AMLD IV also clarifies the PEP definition by providing a list of public functions that rise to the appropriate level of prominence. We expect these changes to capture significantly more individuals within the PEP definition, especially since the definition also covers PEPs’ associates and close family members. In addition, AMLD IV requires financial institutions to continue to monitor and mitigate risks posed by PEPs for at least 12 months after they leave public office.

These changes diverge from current US requirements (as detailed in the FFIEC[2] examination manual) in three areas. First, the FFIEC manual provides a less specific PEP definition to allow for differences in the prominence of a specific public office between jurisdictions. Second, the FFIEC manual distinguishes between foreign and domestic PEPs, subjecting foreign PEPs to a higher level of scrutiny. Finally, the FFIEC manual does not provide a minimum term for monitoring and risk mitigation of PEPs after they leave public office.

Among these differences, we expect the PEP definition to be the most challenging for financial institutions to reconcile between the two jurisdictions. Using a single PEP definition across all jurisdictions could streamline compliance processes; however, to do so financial institutions must adopt the more robust PEP definition under AMLD IV, which would lead to a larger number of PEP designees, especially within private banking where PEPs form a large subset of clients. Alternatively, firms may sacrifice consistency by implementing different PEP definitions in the US and EU to reduce direct compliance costs. The ultimate choice for each institution depends on its unique client base in each jurisdiction, as well as its AML compliance capabilities, among other factors.

Beneficial ownership registries

AMLD IV introduced the requirement that each EU member state create a registry identifying and maintaining certain information about beneficial owners within their jurisdiction. This measure is intended to prevent individuals from circumventing regulatory restrictions by conducting their transactions through a corporate vehicle.

AMLD IV’s definition of beneficial owner is similar to AMLD III and the definition proposed last year by the Treasury’s Financial Crimes Enforcement Network (FinCEN).[3] However, FinCEN’s proposal does not require establishment of a beneficial owner registry. We believe the beneficial ownership registry will represent an operational challenge for financial institutions operating in the EU because these institutions will have to begin checking this registry as part of their current KYC processes. Furthermore, the directive allows member states to require financial institutions (in addition to their clients) to update the registry upon obtaining new beneficial ownership information, which would pose an even more significant challenge.

What should global banks be doing now?

Having experienced notorious struggles with implementing previous directives, US firms operating in the EU should start planning now to implement the key changes defined in AMLD IV. At a minimum, these firms should decide whether to strengthen their policies, procedures, and internal controls on a global level (i.e., by applying the strictest of the US and EU requirements in each area), or to choose to adopt AMLD IV requirements only in the EU. A proactive implementation strategy will help ensure that global financial institutions understand implementation challenges early-on and can bring their existing global AML programs into conformance with AMLD IV in the most efficient way.

ENDNOTES

[1] ESAs are the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority. In addition to supervising the EU’s financial system, ESAs are often called on in the EU to draft highly technical financial regulations.

[2] The FFIEC is a regulatory council composed of the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and the National Credit Union Administration.

[3] In August 2014, FinCEN proposed customer due diligence requirements, including a beneficial ownership provision defined as a person who has either a controlling role within the company, or owns at least 25% of the business.

The preceding post comes to us from PwC.  It is based on a memorandum issued by PwC in June, 2015, which is available in full here.