The new EU AML/CFT regime has arrived – are you ready?

Introduction

On 19 June 2024, the European Union’s (EU) new anti-money laundering / countering the financing of terrorism (AML/CFT) regime was published in the Official Journal of the EU (OJ). The basis of the new regime was the European Commission’s (Commission) May 2020 Action Plan for a comprehensive EU policy on preventing money laundering and terrorism financing. This followed a 2019 communication from the Commission which warned about fragmentation in the EU AML/CFT framework. The legislative proposals were originally published by the Commission in July 2021 and thereafter took co-legislators almost three years to reach agreement.

In essence the new regime comprises of two key components, a new EU AML/CFT authority (AMLA) and an EU Single AML/CFT Rulebook. The EU legislation implementing the new EU AML/CFT authority is a Regulation, Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (AMLA Regulation). Two pieces of legislation implement the EU Single AML/CFT Rulebook. The first is a new Regulation, Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AML Regulation). The second is a Directive, Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 (MLD 6). A key point to note about the new legislation is that for the first time the EU’s AML/CFT regime is being partly prescribed by Regulations which are directly applicable in Member States. In addition, the EU has never before had a dedicated AML/CFT authority.

The Commission additionally presented as part of the proposal a regulation recasting the regulation on transfers of funds - Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Funds Transfer Regulation) that aims to make transfers of crypto-assets more transparent and fully traceable which was adopted in May 2023 and will apply as of December 2024.

Timing

It is important to note that the majority of the provisions in the new EU AML/CFT regime do not come into force immediately thereby giving both Member States and the firms that operate within them time to prepare.

In terms of timing:

• The AMLA Regulation entered into force on 26 June 2024 and applies from 1 July 2025 except for Articles 1, 4, 49, 53 to 55, 57 to 66, 68 to 71, 100, 101 and 107, which apply from 26 June 2024, and Article 103, which applies from 31 December 2025.
• The AML Regulation entered into force on 9 July 2024 and applies from 10 July 2027, except in relation to ‘obliged entities’ referred to in Article 3(3)(n) and (o), to which it will apply from 10 July 2029.
• The AMLD 6 also entered into force on 9 July 2024 and Member States are required to bring into force the laws, regulations and administrative provisions necessary to comply with the Directive by 10 July 2027. By way of derogation from this, Member States are to bring into force provisions necessary to comply with Article 74 by 10 July 2025, with Articles 11, 12, 13 and 15 by 10 July 2026 and with Article 18 by 10 July 2029.

EU AML/CFT Single Rulebook

Previously, EU AML/CFT legislation has taken the form of Directives so the AML Regulation is novel. It will enable Member States to have frameworks that are more uniform across the EU, as opposed to the Directives which allow some leeway in transposition. Some of the provisions currently contained in the Fourth Anti-Money Laundering Directive (MLD 4) are moved to the AML Regulation and the MLD 6. The AML Regulation and the MLD 6 also contain new provisions. To help Member States and the entities in scope understand what is being moved where, a correlation table appears in both the AML Regulation and the MLD 6 which identifies the MLD 4 provisions that are being moved to them.

Scope

To mitigate new and emerging risks, the AML Regulation expands the scope of the EU AML/CTF regime. Under the MLD 4 ‘obliged entities’ are required to apply AML/CFT measures. Most financial institutions (banks, life insurance companies, payment service providers and investment firms) are obliged entities and this also includes certain non-financial entities including lawyers, accountants and certain types of crypto-asset service providers. The AML Regulation expands the list of obliged entities to include:

• All types and categories of crypto-asset service providers.
• Crowdfunding platforms including crowdfunding service providers that fall in scope of the EU Crowdfunding Regulation.
• Mortgage credit intermediaries and consumer credit providers that are not financial institutions.
• Operators working on behalf of third country nationals to obtain a residence permit to live in an EU country.
• Persons that trade in certain high-value goods such as jewellery, clocks and watches, luxury motor vehicles, planes and boats (defined as costing more than EUR 250,000 for motor vehicles and more than EUR 7,500,000 for planes and boats), as well as traders in precious metals and stones.
• Professional football clubs but only when carrying out certain transactions such as those with investors, sponsors or agents, as well as football agents.

For those Member States that have national laws that allow for the granting of residence rights in exchange for any kind of investment (for example capital transfers or purchase or renting of property) the MLD 6 requires that they implement certain measures, including a risk management process, to mitigate money laundering risks. Member States will also have to publish an annual report on the risks of money laundering associated with the granting of residence rights in exchange for investment. Those reports shall be made public and shall include information on the number of received applications and of countries of origin of the applicants.

Policies and procedures

The AML Regulation builds on the provisions in the MLD 4 that deal with internal policies, controls and procedures that obliged entities need to have in place. Being a Regulation its provisions on the customer due diligence process and the identification of beneficial ownership harmonises the relevant requirements across the EU. Whilst the correlation table mentioned above is useful when considering where these requirements have ended up in the AML Regulation, firms will still need to study them carefully noting in particular any changes in drafting when compared to the previous MLD 4 provisions.

The AML Regulation also includes new provisions and the headlines include:

• Any employee, or person in a comparable position, including agents and distributors, directly participating in the obliged entity’s compliance with the AML Regulation shall be subject to an assessment prior to taking up their activities and then regularly thereafter (Article 13).
• A risk-based approach is to be applied when an obliged entity outsources tasks to service providers. For each outsourced task, the obliged entity must demonstrate to its supervisor that it understands the rationale behind the activities carried out by the service provider and the approach followed in their implementation, and that such activities mitigate the specific risks to which the obliged entity is exposed. By 10 July 2027, the AMLA is to issue guidelines addressed to obliged entities on the establishment of outsourcing relationships, their governance and the procedures for monitoring the implementation of functions; the roles and responsibility of the obliged entity and the service provider within an outsourcing agreement; and supervisory approaches to outsourcing as well as supervisory expectations regarding the outsourcing of critical functions (Article 18).
• The AMLA will develop implementing technical standards specifying a common template for suspicious activity reports by 10 July 2026. By 10 July 2027, the AMLA will issue guidelines on indicators of suspicious activity or behaviours and such guidelines shall be periodically updated (Article 69).
• Changes are made to the limits on large cash payments in exchange for goods or services. Subject to certain exceptions, persons trading in goods or providing services may accept or make a payment in cash only up to an amount of EUR 10,000 or the equivalent in national or foreign currency, whether the transaction is carried out in a single operation or in several operations which appear to be linked. When limits already exist at national level which are below this limit, they shall continue to apply. Member States shall notify those limits to the Commission by 10 October 2024 (Article 80).
• Given the higher exposure to risks that obliged entities face due to their gatekeeping role, they will have to carry out customer due diligence when they carry out transactions in cash above EUR 3,000 (Article 19).
• Certain provisions are introduced where transactions involve the sale of certain high-value goods. Such goods include jewellery, gold, clocks, and watches when the cost exceeds EUR 10,000, as well as motor vehicles priced over EUR 250,000, and planes and boats priced over EUR 7,500,000 (Articles 19, 25 and Annex IV).
• There is a prohibition of bearer shares that are not intermediate (Article 79).
• There are disclosure obligations on nominee shareholders and nominee directors (Article 66).

Groups

On 12 March 2024, the Commission published a letter containing a provisional request for advice from the European Banking Authority (EBA), regarding regulatory technical standards (RTS) and guidelines under the EU AML/CFT Single Rulebook. The Commission identified these technical standards as priority areas and included the mandate contained in Article 16(4) of the AML Regulation where the AMLA is to develop draft RTS specifying the minimum requirements of group-wide policies, including minimum standards for information sharing within the group, the criteria for identifying the parent undertaking and the conditions under which the provisions of Article 2, point 42 (b) (groups whose head office is located outside the EU) apply to entities that are part of structures which share common ownership, management or compliance control, including networks or partnerships, as well as the criteria for identifying the parent undertaking in the Union in those cases. The EBA is to deliver its advice on the provisional request by 31 October 2025.

Beneficial ownership

The concept of beneficial ownership was introduced to increase transparency of complex corporate structures. The need to access accurate, up-to-date and adequate information on the beneficial owner is considered to be a key factor in tracing criminals who might otherwise be able to hide their identity behind opaque structures. Member States are currently required to ensure that corporate and other legal entities, as well as express trusts and other similar legal arrangements, obtain and hold adequate, accurate and up-to-date information on their beneficial ownership. However, the degree of transparency imposed by Member States currently varies.

So to ensure the consistent identification of beneficial owners the AML Regulation sets out harmonised transparency requirements and this includes a new provision regarding a requirement to disclose beneficial ownership for non-EU entities that have a link with the EU (Article 67 AML Regulation).

Public access to beneficial ownership registers has also been addressed albeit by the MLD 6. This is primarily to deal with the November 2022 Court of Justice judgment which invalidated general access by the public to information held in beneficial ownership registers. The MLD 6 provides that Member State authorities will have immediate, unfiltered, direct and free access to registers across the EU. Obliged entities will also have timely access to such information when performing customer due diligence, as was previously the case. As regards the wider public, the MLD 6 defines how persons with legitimate interest can access information. Categories of persons deemed to have a legitimate interest include journalists, civil society organisations and third country competent authorities. The MLD 6 sets out a procedure for the verification and mutual recognition of a legitimate interest across the EU.

Bank account registers

The MLD 6 makes certain changes as regards bank account registers and electronic data retrieval systems by expanding the scope of information to be included in the centralised mechanisms by adding information on securities and crypto-asset accounts. There are also provisions that will allow Member State Financial Intelligence Units (FIUs), national AML/CFT supervisory authorities and the AMLA with direct access to the bank account registers’ interconnection system (BARIS) which is to be developed and operated by the Commission.

Supervisory colleges

The MLD 6 contains provisions regarding AML/CFT supervisory colleges in both the financial and the non-financial sector and cooperation with supervisors in third countries. This includes that by 10 July 2026, the AMLA will develop technical standards as regards the general conditions for the functioning of AML/CFT supervisory colleges in the financial sector, including the terms of cooperation between permanent members and observers, and the operational functioning of such colleges. By 10 July 2029, the AMLA is to develop technical standards specifying the template to be used for Member State cooperation agreements with third countries.

Crypto sector

The EU legal framework for regulating the provision of crypto-asset services is now set out in Regulation (EU) 2023/1114 on markets in crypto-assets (MiCAR). The AML Regulation covers the activities in MiCAR and, as mentioned above, includes crypto-assets providers in scope of obliged entities. It grants authorities various powers over crypto-assets providers, in particular the ability to monitor or prevent specific transactions 24 and 25 AML Regulation). To prevent the illicit use of crypto-assets, the AML Regulation prohibits the provision and custody of anonymous crypto-asset accounts or accounts allowing for the anonymisation or increased obfuscation of transactions by crypto-asset service providers, including through anonymity-enhancing coins. Such prohibition does not apply to providers of hardware and software or providers of self-hosted wallets insofar as they do not possess access to or control over those crypto-asset wallets (Recital 160 and Article 79 AML Regulation).The AML Regulation also introduces specific enhanced due diligence measures that crypto-asset service providers will have to apply in their cross border correspondent relationships and when performing transactions with self-hosted wallets (Article 37 AML Regulation).

New rules are also introduced whereby crypto-asset service providers involved in crypto-asset transfers will have to collect and make accessible data on the originators and beneficiaries of the transfers of virtual or crypto assets they operate. This is done via the Funds Transfer Regulation and will apply from 30 December 2024, together with MICAR.

AMLA Regulation

Arguably the most contentious part of the new EU AML/CFT regime is the AMLA. The AMLA is designed to be a central authority with the mandate to monitor and coordinate AML/CFT activities in the EU. It is intended to ensure that the implementation and enforcement of AML/CFT measures are consistent and effective across all Member States. The AMLA will have two main areas of responsibility: AML/CFT supervision of ‘obliged entities’ and supporting EU FIUs. It’s home will be in Frankfurt, Germany.

Obliged entities

Whilst Member State AML/CFT supervisors will continue to be key players in the EU’s AML/CFT regime the AMLA will replace them as the AML/CFT supervisor in certain instances. When directly supervised by the AMLA, supervision will be carried out by a joint supervisory team led by staff from the AMLA itself together with staff from the relevant Member State supervisor.

The AMLA will directly supervise credit institutions and financial institutions, and groups of credit institutions and financial institutions (financial sector obliged entities), that are active in at least six Member States and have a high residual risk profile in accordance with a level 2 methodology to be developed by the AMLA. The AMLA Regulation refers to such entities as ‘selected obliged entities’.

The AMLA’s selection of such entities will be based on objective criteria centred on risk categorisation and cross-border activity. The list of selected obliged entities will be reviewed every three years. The methodology for categorisation of such entities by Member State supervisors will be harmonised prior to the first selection. The first selection process based on the level 2 methodology will be carried out by the AMLA in 2027, with the selected entities transferred to EU-level supervision as of 2028.

The AMLA may also ask the Commission to make a decision to place a financial sector obliged entity under its direct supervision, irrespective of meeting the level 2 methodology for a limited period of time. This may occur where the AMLA believes that an entity is systematically failing to meet its AML/CFT requirements and that a significant money laundering/terrorist financing risk may materialise, should the Member State supervisor be unable to take action to deal with such risks as recommended by the AMLA.

A Member State supervisor may also ask the AMLA to take over direct supervision of a financial sector obliged entity in exceptional circumstances to address at the EU level a heightened money laundering/terrorist financing risk or compliance failures.

With respect to financial sector obliged entities that are directly supervised, the AMLA Regulation provides the AMLA with certain investigatory powers and the power to impose pecuniary sanctions and periodic penalty payments.

Working with FIUs

In terms of FIUs, the AMLA will seek to facilitate co-operation, information exchange and identify best practices. It will do this by establishing standards for reporting and information exchange, initiating or supporting joint operational analyses, organising peer reviews among FIUs and developing the FIU.NET system used by both FIUs and Europol to exchange and cross-match information. The AMLA will itself be an end-user of the system and its functionalities.

Timing and composition

Currently, the intention is for the AMLA to start most of its activities in mid-2025 and reach full staffing in 2027. As mentioned above, it will begin directly supervising certain high-risk financial entities in 2028. In terms of full staffing the AMLA is expected to have over 430 staff members with 200 of these working on direct supervision. The AMLA will also have an Executive Board and a General Board. The Executive Board will take decisions towards individual obliged entities or individual supervisory authorities. It will also take decisions regarding AMLA’s draft budget and other matters relating to the AMLA’s operations and functioning. The General Board will adopt all regulatory instruments and may also issue an opinion on a decision about a directly supervised obliged entity that has been prepared by a joint supervisory team before a final decision is adopted by the Executive Board.

By 31 December 2030, and every five years thereafter, the Commission will draw up a report on the AMLA’s performance, in accordance with the guidelines produced by the Commission.

Working with the EBA

The EBA will retain its AML/CFT powers and mandates until December 2025 to minimise disruption and will work closely with the AMLA. During this transition phase the EBA will also support Member State supervisors and help prepare them for the AMLA.

Central AML database

Another key task of the AMLA will be to establish and keep up-to-date a central database of information. Member State supervisors are to transmit to the AMLA certain information which is further specified in Article 11 of the AMLA Regulation, including data related to individual obliged entities. Such data includes the outcomes and reports of thematic reviews and other horizontal supervisory actions with regard to high-risk areas or activities. The AMLA is to develop draft technical standards specifying, among other things, the scope and level of detail required and the procedure, formats and timelines for transmission.

Conclusion

The new EU AML/CFT regime has arrived so firms need to get ready for it. The new regime is nothing short of a revolution in EU financial services law with direct AML/CFT regulation across the entire financial services sector for the first time.

Whilst the new EU AML/CFT regime will not come into immediate effect there might be a couple of steps that firms should consider now in order to prepare. As always with financial services the devil is in the detail so perhaps a useful place to start may be to look at the provisions in the AML Regulation and MLD 6 and see how they compare with the MLD 4. Once this scoping has been completed firms may be in a better position to ask themselves what updates they need to make to their policies and procedures, and systems and controls. For those larger institutions, where direct supervision by the AMLA is a real prospect, the key question for the moment, is what does direct supervision exactly mean when compared to Member State supervision and what changes will have to be made to internal processes?

And finally, there will no doubt be a lot more coming down the line on the new EU AML/CFT regime. Firms will need to keep an eye out for the forthcoming consultations that will be issued covering the technical standards and level 3 guidelines etc. and for the national legislation in connection with the introduction of the new European regime.. But they should also keep an eye out for ‘soft guidance’ that will also be issued in the form of Commission speeches etc.