Time to harmonize AML control systems for global, commercial Indian companies

Introduction

This publication is a cooperation between Norton Rose Fulbright and Indian law firm Cyril Amarchand Mangaldas. In case of any questions to the CAM team, please reach out to Sara Sundaram, Faraz Alam Sagar  or Kritika Angirish.

For many global organisations, finding the right balance between having global, unified compliance programs, and the need to address local legal and compliance risks, is a challenge. In this blog, we will address the challenge that money laundering and related issues presents to Indian companies operating in Europe.

Recent regulatory developments in India affect Indian companies’ duties and responsibilities in relation to the identification, combating, and the reporting of money laundering. These changes have already triggered many Indian companies to revisit their compliance programs and put in place new mechanisms to reduce Anti-Money Laundering (“AML”) risks. 

In this blog, we suggest that Indian companies operating in Europe should pay attention to the parallel developments of AML regulations in Europe which may affect them as well. After providing an overview of recent developments regarding AML legislation in India, we move to developments in that field in Europe. Considering these parallel developments, we propose that international companies based in India which (partly) operate in Europe as well, may want to design a robust, internal compliance and control system that addresses both legislative requirements and allow those companies to be compliant in all relevant jurisdictions. 

Developments in India

India has been a member of the Financial Action Task Force (“FATF”) since 1989, which in turn has been focusing on two key areas regarding AML: the effectiveness and technical compliance of companies’ internal compliance systems. India has undertaken the following changes to further strengthen its AML regime:

Enlarging the definition of ‘reporting entity’

Persons who are responsible for notifying and conducting AML diligence are categorised as ‘reporting entities’ and include  banking companies, financial institutions (“ FIs” ), intermediaries  and professions or persons carrying on a designated business.  

In 2023, the Indian government implemented a few amendments to the Prevention of Money Laundering Act, 2002 (“PMLA”) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (“PML Rules”). The government added to the category ‘professions or persons carrying on a designated business’¹ to include additional professionals, consultants and businesses² as ‘reporting entities’, for example those who are carrying out certain financial activities on behalf of clients. 

There is ambiguity about the scope of the applicability of the amendments, as the phrases ‘in the course of business on behalf of or for another person’ and ‘arranging for another person to act as’ are unclear or have not been clarified or defined yet. Nevertheless, and despite the limited clarity, the intention is likely to bring more professionals, consultants and businesses within the scope of PMLA. 

Duties of a reporting entity

Because of these recent amendments to the PML Rules, it is now necessary to implement group-wide AML and Combating the Financing of Terrorism (“CFT”) policies, particularly for entities that form part of a group. These policies emphasize sharing information for client due diligence and AML/CFT purposes, while maintaining confidentiality and the prevention of tipping-off. Additional changes may include:

1. Ensuring identification of beneficial owners at the start of an account-based relationship;
2. Mandatory recording of financial transactions involving politically exposed persons (“PEPs”);
3. Collection of financial transaction information for non-profit organizations or NGOs;
4. Submission of information in respect of top management, partners, beneficiaries, trustees, settlors, and writers; and
5. Collecting information from clients on their registered office and primary place of business.

The documentation required for due diligence should now include more comprehensive information about the client's structure and operations.

The Master Directions of the Reserve Bank of India (“RBI”) consolidates instructions on rules and regulations framed by the RBI under various Acts, including issues relating to non-financial institutions. The Know Your Customer (KYC) Direction (2016) of the RBI applies to companies governed by the RBI, which includes branches and subsidiaries in which entities outside of India have a majority stake, provided they do not violate local laws. Subsidiaries of foreign-incorporated banks are therefore encouraged to apply the stricter regulation between the RBI norms and their home country regulators.

Developments in Europe

EU Regulation matters for Indian companies

While the EU regulatory framework on AML is primarily designed with companies originating in Europe in mind, there are many instances where it may be required, or at least beneficial for foreign companies, such as Indian companies operating in Europe, to consider implementing relevant compliance measures and ensure they are prepared in the following instances:

• Establishments in the EU: Companies with branches, subsidiaries, or any form of establishment within the EU may directly be subject to the EU regulatory framework.³ This includes compliance with customer due diligence (CDD) requirements, reporting obligations, and adherence to the EU’s beneficial ownership transparency rules.
• Cross-Border Business: Even if a company does not have a physical presence in the EU, if it conducts transactions with EU-based entities, particularly involving EU financial institutions or other obliged entities, it may fall within the scope of the regulation.⁴ For instance, if an Indian company processes payments through EU banks or engages in business with European obliged entities, it must ensure that these transactions comply with EU AML standards.
• Banking and Financial Services: Indian companies utilizing EU financial institutions for banking or other financial services are indirectly impacted by the regulation. EU banks are required to apply enhanced due diligence when dealing with foreign companies, especially those from jurisdictions perceived as having weaker AML controls. This could result in additional scrutiny of the Indian company’s transactions, requiring it to provide extensive documentation to verify the legitimacy of its funds and the identities of its beneficial owners.
• Supply Chain and Business Partners: Indian companies working with EU-based clients or suppliers may also be impacted by the regulation, as their European partners will likely require them to comply with EU AML regulations to avoid regulatory breaches themselves. This could include requests for detailed information on ownership structures, transaction histories, and AML compliance measures.
• High-Risk Sectors: In particular, if an Indian company operates in sectors deemed high-risk for money laundering (e.g., real estate, precious metals, or digital assets), the regulation’s provisions are more likely to be rigorously applied.⁵ Such companies may face greater regulatory scrutiny and are expected to implement robust internal AML controls to satisfy EU regulatory expectations.

In conclusion, Indian companies operating in Europe must be aware of the implications and potential effects of the EU regulatory framework, even if their domestic regulations differ. This may involve implementing stricter internal controls, enhancing record-keeping practices, and ensuring that staff are adequately trained in AML procedures. As the EU continues to tighten its AML regulations, foreign companies with ties to Europe must take a proactive approach in maintaining compliance to avoid facing legal and financial risks.

Risk of non-compliance

Since the implementation of the 2018 Directive on combating money laundering through criminal law, there is a harmonized baseline across the EU that mandates a minimum imprisonment term of four years for intentional offences. For legal entities, the Directive prescribes severe penalties, including temporary or permanent bans from commercial activities, judicial supervision, or even a judicial order for dissolution. 

Irrespective of the fact that there may be no directly applicable regulation to foreign companies, even non-financial institutions are exposed to elementary risks if they become involved in money laundering (“ML”) activities as a result of inadequate precautionary measures:

• Legal Consequences: Both companies and individuals involved in ML can face severe legal consequences. Directors may be prosecuted, and companies can be fined, have assets confiscated, or lose their licenses. Additionally, business partners may hold non-financial businesses liable for involvement in ML.
• Business Losses: Illicit funds can contaminate company assets, leading to significant losses. Many jurisdictions allow civil recovery orders to reclaim crime proceeds without requiring a criminal conviction. ML in a supply chain can also result in overpayments and further losses. Further, involvement in ML can cause delays and disruptions as banks perform additional AML checks or block transactions. These actions can breach contracts and result in additional costs for replacing compromised partners.
• Reputational Risks: Even an innocent company implicated in an ML scheme risks reputational damage and loss of trust from the public and business community. High-profile cases, like Google and Facebook paying fraudulent invoices, highlight the potential embarrassment and long-term consequences that can arise.⁶
• Access to finance: Businesses involved in ML or operating in high-risk areas may face restricted or costly financial services access. FIs are increasingly "de-risking" by severing ties with high-risk clients, forcing businesses to rely on smaller, less secure banks, which exacerbates ML risks even more.

What do Indian companies need to know?

As already indicated, AML regulations are complex and multi-layered, and are mostly tailored to FIs. Moreover, the current framework for (foreign) non-financial businesses remains quite underdeveloped. However, (foreign) non-financial businesses are not entirely excluded from AML regulations. In fact, there has been an increasing trend to include these as well. 

In June 2024 the EU published a new Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Reg. 2024/1624, the “AML Regulation”) as part of a broad AML legislation package. The AML Regulation will be directly applicable without transformation into national law of the member states as of 10 July 2027 and harmonize minimum standards for AML Compliance, some of which are also directly relevant for (foreign) non-financial businesses:

• Cash Payment Limits: Despite existing varying limits on cash transactions in some member states, the AML Regulation implements a ban of cash payments over EUR 10,000 as a minimum standard, even if the transaction is effected in several tranches that appear to be linked.⁷ 
• UBO Registers: Since the Fourth AML Directive required EU Member States to establish Ultimate Beneficial Ownership (UBO) registers to record the beneficial owners of certain companies, the AML Regulation has harmonised the threshold of 25% of shares or voting rights for beneficial ownership. Companies must keep this information up to date, and failure to do so may result in criminal sanctions.
• Obliged Entities: Following a recent trend, the AML Regulation has expanded the list of Designated Non-Financial Businesses and Professions (“DNFBPs”) to include, amongst others, persons trading in precious metals, stones or other high-value goods, such as jewellery, watches with a value exceeding EUR 10,000 or motor vehicles of a price exceeding EUR 250,000.⁸

In addition, non-financial businesses are indirectly affected by the stringent AML requirements on FIs and DNFBPs, as those FIs and DNFBPs increasingly demand non-financial businesses for respective information, e.g. the proof of funds, to fulfil their obligations under the regulatory framework. As a result, non-obliged entities will also have to ensure AML compliance , as well as not indirectly facilitating ML/TF activities, particularly through their supply chains or client transactions, to have access to regulated financial service providers. 

While enforcement actions against non-financial businesses in the EU have been less frequent in the past, the current trend suggests that increased scrutiny and enforcement in this sector is likely to arise in the future:

• As part of the new AML package, the EU adopted the 6th AML Directive (Directive 2024/1640, the "AMLD6"). This must be implemented by the member states by July 2027. In particular, it provides a specific regulation for the access to beneficial ownership registers and the powers and responsibilities of Financial Intelligence Units ("FIUs") and overlapping national authorities. 
• In addition, the package included Regulation 2024/1620 (the "AMLA Regulation"), which establishes a new EU-wide enforcement body: the Authority for Anti-Money Laundering and Countering the Financing of Terrorism ("AMLA"). The AMLA will be headquartered in Frankfurt and will commence operations in 2025. In the non-financial sector, AMLA will operate in a supportive role, conducting reviews and investigating potential violations of AML regulations. Additionally, AMLA will serve as the coordinating body for national financial intelligence units engaged in investigating potential violations of anti-money laundering (AML) regulations.

This evolving enforcement landscape underscores the need for non-financial businesses to remain vigilant and proactive in understanding and adapting to AML obligations, even if they are not directly regulated under current frameworks.

Conclusion and recommendations

The developments and trends as set out in section II and III both in India and Europe, may require companies to react to this by renewing their compliance programs and control systems. 

Although financial institutions in India have already been subject to a set of obligations by the PMLA, including assessing client referrals, performing due diligence on complex corporate structures, integrating KYC processes, storing biometric and personal data, and tracing the source of funds or financial positions, the widened scope of ‘professions or persons carrying on a designated business’ may pose as a challenge for the new in-scope professions, especially when guidance by the regulator on this is lacking. Moreover, the future trajectory of the Indian companies in the international space depends on their ability to integrate international compliance standards and implement rigorous approaches to combating suspicious activities and KYC standards. 

The EU has demonstrated its commitment to pursuing a comprehensive AML strategy by adopting its new package in the summer of 2024. This shows not only the intention to continue with extensive regularisation, but also to intensify efforts in enforcing consistent standards across the board. The focus is now shifting towards new sectors and business models outside the traditional field of financial institutions.

In the course of these developments, Indian companies may consider familiarising themselves with changing European regulations and standards if they want to operate across borders or rely on European suppliers in a careful and compliant manner. 

Because of all this, companies should prepare in time and may consider the following:

1. Conducting an assessment if they fall within the scope of reporting entity under PMLA;
2. Implementing robust prevention and detection systems to mitigate AML risks;
3. Conducting a proper AML risk assessment of their own activities in different jurisdictions;
4. Identifying red flags within the whole chain of business activities;  
5. Implementing and maintaining internal control and compliance policies to address AML challenges and risks both top down via global parent companies as well as bottom up via local subsidiaries; 
6. Ensuring that all employees are trained in identifying suspicious activities or transactions, and raising awareness regarding reporting duties;
7. Keeping accurate and detailed records of all data related to client due diligence and transaction monitoring;
8. Establishing internal controls ensuring authorized and accurately recorded financial transactions and dealings with third parties;
9. Developing a policy for reporting suspicious transactions and conducting ongoing diligence, particularly when dealing with foreign entities, using exhaustive checklists and internal review mechanisms;
10. For Indian Companies (i) part of a group company; (ii) who are the ultimate beneficial owners; and/or (iii) where the group company or ultimate beneficiary owner is located outside India, consider implementing a global policy to ensure uniformity and compliance with AML standards and to adapt to the new developments. This is especially important in India as the RBI is on high alert for compliance measures after recent problems with another Indian financial institution.