The Fourth Anti-Money Laundering (AML) Directive was released in May 2015 and the reforms to the AML rules will become EU law on 26th June 2017. The UK legislation will come into force just before the deadline of 26th June 2017.
What is going to change with the Fourth AML Directive?
The areas the AML Directive has changed are outlined below:
Note – “Designated persons” are now known as “obliged entities” under the Fourth AML Directive.
There is the new requirement of a “National Risk Assessment” whereby Member States will need to provide evidence that appropriate steps have been taken to identify, assess, understand and mitigate AML/CTF (Counter Terrorist Financing) risks.
The risk factors taken into consideration to assess AML/CTF risks are now more explicit and include risks such as customer, product and geography.
The Fourth AML Directive is stricter with the on-going monitoring of customers and will require specific consideration and evidence when conducting risk assessments for customers.
Therefore, obliged entities must fully understand the risk rating behind every one of their customers.
Legal companies (including legal persons) and trustees must hold adequate, accurate and current information about the company’s own beneficial ownership. This information must be readily available to the Central Bureau of Investigation (CBI) and obliged entities upon request.
The current Third AML Directive states customers can either be low or high risk. If a customer is low risk they undergo simplified customer due diligence, but if a customer is high risk they undergo enhanced customer due diligence. With the Fourth AML Directive, obliged entities must be able to evidence why customers are low risk, in order to justify the performance of simplified customer due diligence.
The definition of Politically Exposed Persons (PEPs) has been extended to include domestic PEPs. Therefore, obliged entities need to review their list of customers to see if any existing customers are now considered to be PEPs under the new definition.
In addition, if a customer ceases to be a PEP, obliged entities need to monitor the risk of the customer for at least 18 months from that point onwards, rather than 12 months as stated in the Third AML Directive.
The Third AML Directive listed jurisdictions in which AML/CTF legislation was considered to be equivalent to that in the EU. However, the Fourth AML Directive revokes the equivalent status of these jurisdictions. Therefore, obliged entities need to perform risk assessments on countries they do business in and customers from these countries.
The Fourth AML Directive states the maximum retention period of customer due diligence documents is 5 years, but may increase up to 10 years, if required under local legislation.
What is new in the Fourth AML Directive?
A new requirement of a firm’s policies and procedures states, data protection elements must be considered within the AML/CTF policies and procedures when sharing customer information.
The Fourth AML Directive also states that for subsidiaries in countries where AML/CTF legislation is of a lower standard, the AML/CTF legislation of the regulated entity’s home Member State should be used.
A definition of “senior management” has been introduced in the Fourth AML Directive and is given below.
“Senior management is defined as an officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the board of directors.”
To strengthen the relationship between Financial Intelligence Units (FIU) of the Member States, they will exchange information between each other and the requirements for all include that:
What actions need to be taken to comply with the Fourth AML Directive?
As part of the new National Risk Assessment, evidence must be provided to justify how and why these steps have been taken to mitigate AML/CTF risks.
As part of the on-going monitoring of customers, the risk rating of each customer needs to be fully understood by obliged entities. Once a customer’s risk rating has been determined from their risk assessment, it indicates what type of customer due diligence needs to be performed. High risk customers undergo enhanced customer due diligence and low risk customers undergo simplified customer due diligence. Therefore, robust evidence needs to be provided for all customers to justify the type of customer due diligence performed.
The risk assessments of existing customers need to be reviewed as the scope of PEPs has expanded to include domestic PEPs. Therefore, customers that are flagged up as domestic PEPs must have their risk assessment changed to correctly reflect their risk rating. The definition of PEPs also applies to new customers and obliged entities must ensure this is incorporated into the firm’s procedures to keep, in accordance with the Fourth AML Directive.
Customers must be monitored for a further 18 months by the obliged entities when they cease to be a PEP.
If a firm conducts business in a country where the equivalent status has been revoked, a robust risk assessment must be performed to determine the risk of the country. Therefore, if a country is high risk, enhanced customer due diligence must be performed for customers from this country.
In regard to a firm’s data protection elements, firms must ensure policies and procedures are robust and take into account relevant AML/CTF risks when sharing customer information.