Financial institutions in the European Union will soon be required to report information about the real owners of the businesses with which they interact, and report suspicious transactions in the interest of combating tax crimes and terrorist financing, under new anti-money laundering rules published by the European Parliament.

Known as the Fourth Anti-Money Laundering Directive (AMLD), the EU rules went into force June 26, when they were published in the Official Journal of the European Union. EU member states now have two years to implement them into national law.

One of the most significant changes under the AMLD is that each EU member state establish a central register of information on the beneficial owners of companies. The AMLD defines a beneficial owner as the person who directly or indirectly owns a “sufficient percentage of the shares or voting rights or ownership interest.” For example, a “shareholding of 25 percent plus one share, or an ownership interest of more than 25 percent in the customer held by a natural person, shall be an indication of direct ownership,” the directive states.

Companies will need to report to the member state’s central register the full legal name, month and year of birth, nationality, and country of residence, as well as nature and extent of interests of beneficial owners. The broader implications of the new reporting requirements “will increase the level of transparency across all transactions,” says Ambrose Loughlin, a partner with law firm McCann Fitzgerald in Dublin.

From a practical standpoint, that means financial institutions in particular will want to pay close attention to their customer due diligence and monitoring processes. “You need to be absolutely sure that the information you have is accurate, that you’re recording the right information, that you have the appropriate systems and controls in place, that you’re doing the due diligence you need to do,” says Michael Ruck, a senior associate with law firm Pinsent Masons in the United Kingdom.

In addition to financial institutions, the new reporting obligations also apply to auditors, external accountants, tax advisors, credit institutions, and more. The scope of the AMLD further covers a broader range of transactions, by cutting the reporting threshold for companies involved in making or receiving cash payments for goods from €15,000 to €10,000.

“Making this information fully public would provide instant access for those investigating corrupt money trails in and outside the European Union.”
Carl Dolan, Director, Transparency International-EU

The AMLD for the first time also sweeps in gambling service providers; historically, AML rules have applied only to casinos. Providers of gambling services could be required to perform due diligence for transactions of €2,000 or more, unless member states provide exemptions on the basis of the “proven low risk posed by the nature and, where appropriate, the scale of operations of such services,” the directive says.

Casinos will not be eligible for exemptions, but those businesses are already accustomed to heavy oversight. For gambling service providers, it will be a “much more onerous regime, because they have to get up to speed on all these regulations,” says James Maton, a partner with law firm Cooley in London.

Access to beneficial ownership information in each member state’s central register will be given to law enforcement and relevant government bodies. In addition to enforcement officials, “obligated entities,” such as banks performing customer due diligence, could also get access to the information, as well as journalists, if they can demonstrate a “legitimate interest.”

“Making this information fully public would provide instant access for those investigating corrupt money trails in and outside the European Union,” Carl Dolan, director of Transparency International-EU, said in a statement.

Risk-Based Approach

The AMLD also calls on both member states and companies to take a risk-based approach, which most financial institutions already do as a best practice, Loughlin says. The difference is that these risk-based assessments will now be mandatory, he says.

“It’s an attempt to move risk assessments away from a box-ticking exercise,” Maton says. “The onus is placed on the financial institution to assess how high risk a transaction or a customer is, and then to act accordingly.”


The following is a non-exhaustive list of factors and types of evidence of potentially higher risk, requiring enhanced customer due diligence, as set out in the EU’s Fourth Anti-Money Laundering Directive.
(1) Customer risk factors:
(a) The business relationship is conducted in unusual circumstances;
(b) Customers that are resident in geographical areas of higher risk as set out in point (3);
(c) Legal persons or arrangements that are personal asset-holding vehicles;
(d) Companies that have nominee shareholders or shares in bearer form;
(e) Businesses that are cash-intensive;
(f) The ownership structure of the company appears unusual or excessively complex given the nature of the company’s business;
(2) Product, service, transaction or delivery channel risk factors:
(a) Private banking;
(b) Products or transactions that might favor anonymity;
(c) Non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures;
(d) Payment received from unknown or unassociated third parties;
(e) New products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products;
(3) Geographical risk factors:
(a) Without prejudice to Article 9, countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports as not having effective AML/CFT systems;
(b) Countries identified by credible sources as having significant levels of corruption or other criminal activity;
(c) Countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the United Nations;
(d) Countries providing funding or support for terrorist activities, or that have designated terrorist organizations operating within their country.
Source: EU Anti-Money Laundering Directive.

According to the AMLD, companies should “take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, service,  transactions, or delivery channels.” Those steps should be “proportionate to the nature and size” of the business. The directive further lays out a list of factors and types of evidence that may indicate a high-risk customer, transaction, or geographic region.

The AMLD requires that companies have in place internal policies, procedures, and controls to mitigate the risk of money laundering and terrorist financing. Such measures should include appointing a compliance officer “at management level” where appropriate, with regard to the size and nature of the business.

Risk assessments should also be “documented, kept up-to-date, and made available to the relevant competent authorities and self-regulatory bodies concerned,” the AMLD states. From a practical standpoint, this means companies should be able to show why they applied a particular risk rating to each customer.

The AMLD also sets out record-keeping obligations: Companies should maintain for at least five years the information obtained through customer due diligence measures and transaction records.

Politically Exposed Persons

Companies will also have to expand the scope of due diligence they perform on politically exposed persons (PEPs), as the directive has broadened the scope of PEPs to include not just those located outside of the country where the financial institution operates, but now also domestic PEPs, as well. “That’s going to significantly widen the pool of customers that will be regarded as high-risk and that will involve more compliance checks,” Maton says.

The range of PEPs for which financial institutions have to perform due diligence is broad, including heads of state, supreme court judges, members of parliament, and their family members. In cases involving business relationships with these PEPs, the AMLD calls on member states to require companies to:

Obtain senior management approval for establishing or continuing business relationships with such persons;

Take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons; and

Conduct enhanced, ongoing monitoring of those business relationships.

Where a PEP is no longer entrusted with a prominent public function by a member state or a third country, the company should still for a period of at least 12 months “take into account the continuing risk posed by that person and to apply appropriate and risk-sensitive measures” until that person is deemed to no longer pose a risk.

The directive sets a maximum fine of at least twice the amount of the benefit derived from a breach or at least €1 million. Those fines are stiffer for credit or financial institutions, which face a maximum fine of €5 million or 10 percent of total annual turnover for cases involving legal persons, or €5 million for cases involving a natural person. “These aren’t small financial penalties,” Ruck says.

Enforcement regulators around the world are pursuing money laundering with more vigor than ever before and targeting companies for deficiencies in their anti-money laundering compliance programs. In response, companies would be wise to review their AML compliance programs and current anti-money laundering regulations in every part of the world where they operate, but now especially the European Union.