From the time the fourth Money Laundering Directive (MLD4) was adopted, there was call for change, and significant political pressure to introduce at least some changes to be implemented within the agreed MLD4 timeline. The original proposals for change (known as the fifth Money Laundering Directive (MLD5)), published in July 2016, even called for MLD4 implementation to be fast-tracked, to January 2017. This, of course, did not happen, and neither did agreement on MLD5 until nearly the end of 2017. As a result, implementation of MLD5 will now not be until mid-2019, which brings into question how the UK will implement it, given the ongoing uncertainty over how it will treat EU laws falling to be implemented after Brexit.
Emma Radmore looks at what MLD5 is now almost certain to say, and its timeline for likely implementation.
Why another law so soon?
Not least because of the time it takes from conception of EU legislation to its adoption (let alone its implementation), it is a constant danger that measures will be at best out of date and at worst no longer fit for purpose by the time they hit the statute books. MLD4 was a prime example of this. It took over two years from the first proposal from the European Commission to the adoption of the Directive, and the Directive provided the not uncommon two year implementation period. So, by the time firms had to comply with it, over four years had passed since the original proposal. Given the subject matter of MLD4, criminals had, during that period, found several new products and strategies to use.
The key concerns of the European Commission related to:
- the need to clarify enhanced due diligence (EDD) measures and countermeasures in relation to high risk third countries: although MLD4 sets out more detail on EDD than its predecessors, the Commission was concerned these were not enough
- adapting to technology and evolving risks to bring virtual currency exchange platforms(providers engaged primarily and professionally in exchange services between virtual and fiat currencies) and custodian wallet providers (wallet providers that offer custodial services of credentials necessary to access virtual currencies) within the scope of anti-money laundering (AML) measures. The proposals also introduce a definition of "virtual currencies". The proposals evolved with the support of the European Parliament (EP) and the European Banking Authority (EBA). The EBA, though, warned that Member States would need time to develop the regime, rather than (as some proposed) trying to shoe-horn it into the second Payment Services Directive (PSD2)
- addressing the risks of anonymous prepaid instruments. The Commission acknowledged the need to balance the risks of anonymity with the need to give vulnerable people the ability to have a means of on- and off-line payment. The Commission wanted to lower the customer due diligence (CDD) exemption in MLD4 from €250 to €150, and restricting the use of non-EU issued prepaid cards to those that meet EU standards
- improving access to beneficial ownership (BO) information and requiring Member States to set up central mechanisms to identify holders and controllers of bank and payment accounts. The former would include clarifications on the requirement to hold information on trusts in ownership registries and on who would have the right to access the information. The latter would help investigation and enforcement agencies and the Commission has consulted on widening access to certain public authorities; and
- giving investigation and enforcement agencies greater powers to require information.
What happened next?
After the initial flurry of activity, negotiations stalled for some time, because the Council did not have a negotiating mandate under which it could engage in discussions with the European Parliament. Finally, it obtained the mandate. At this point, the Parliamentary Committees looked at the proposals and adopted their reports, while the Presidency of the Council published a number of compromise texts. The version of the text which is now to be approved by the Parliament. Current indications are that the vote will not take place until April 2018. Only after approval in plenary session by the EP can the Council then proceed to formally adopt the Directive. And only after its publication in the Official Journal of the EU following adoption will the transposition clock start to tick.
MLD5 will (if agreed in the current form), among other things:
- extend coverage past auditors, accountants and tax advisers to cover also any other person who provides, directly or indirectly, "material aid", assistance or advice on tax matters as a principal business or professional activity
- include within the "estate agent" category letting agents when they rent properties the with a monthly rent of at least €10,000
- extend coverage to providers engaged in exchange services between virtual currencies (defined as "a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency, and does not possess a legal status of currency or money, but is accepted by natural or legal persons, as a means of exchange, and which can be transferred, stored and traded electronically") and fiat currencies; custodian wallet providers (defined as those that provide services to safeguard private cryptographic keys on behalf of customers, to hold, sort and transfer virtual currencies); persons trading or acting as intermediaries in trade in works of art, or those storing, trading or acting as intermediaries in art trade where carried out by freeports, in each case where the value of a transaction or linked transactions is at least €10,000
- limit the scope of the definition of "electronic money" to exclude certain instruments and transactions exempt under PSD2
- amend the current power of the Commission to adopt acts identifying high risk third countries to require it to take into account strategic deficiencies now to include the availability of accurate and timely information on beneficial ownership, the sanctions for breach and the country's approach to co-operation and information exchange
- extend the ban on anonymous accounts and passbooks also to safe deposit boxes
- reduce the amounts in relation to limited due diligence for pre-paid e-money instruments from €250 to €150 and not permitting any national increases, and reducing the amount for a single withdrawal or transaction in relation to which the simplified measures can apply from €100 to 50. Additionally, Member States must ban payments made with anonymous pre-paid cards issued in third countries unless the cards meet similar requirements to the EU requirements (with a 6 month transition period) and permitting Member States to prohibit all payments made with anonymous prepaid cards
- explicitly recognise within CDD methods electronic identification as set out under the eIDAS Regulation or otherwise approved or accepted by the relevant Member States
- specifically require that where an identified beneficial owner is the entity's senior manager (where it cannot otherwise identify a BO), then the firm must take "necessary reasonable measures" to verify the identity of the natural person holding that position and keep records of what it has done and any problems it faced
- require that where the customer is subject to registration of beneficial ownership information, the firm must collect proof of registration or an excerpt from the register
- mandate that the requirement to apply CDD measures to existing customers be triggered not only on a risk-sensitive basis, but also when the relevant circumstances of a customer change or where the firm has any legal duty during any relevant calendar year to contact the customer to reviewing any relevant information in relation the beneficial owners or under Directive 2011/16/EU on tax cooperation
- widen the obligation to apply enhanced due diligence to include the new Article 18a of MLD4 on specific information requirements in relation to business relationships or transactions involving high risk third countries, and permitting Member States to require firms to ensure the first payment be carried out through an account with an institution subject to EU AML requirements or the equivalent, and to put in place additional measures including reporting requirements and limiting business relationships or transactions with relevant persons. Member States can also refuse establishment of subsidiaries, branches or representative offices by "obliged entities" from the relevant country, but they must tell the Commission before applying some of these measures
- insert new provisions to require Member States to issue and keep up to date a list of exact functions that they consider to be prominent public functions
- amend the requirements of Article 30 MLD4 on beneficial ownership to require Member States to impose proportionate sanctions for breach, to require beneficial owners to provide the relevant entities with the information they need and to require both relevant entities and regulators to report discrepancies between the central registers and other sources of beneficial ownership information;
- permit public access to the beneficial ownership register in respect of limited information (and this can be subject to a registration requirement or a fee which would not exceed the costs of actually making the information available)
- make other changes to the beneficial ownership register rules, particularly in respect of requirements on investigation and enforcement agencies, and requiring information to be available for at least five years and no more than 10 after the entity has been struck off the register
- amend Article 31 MLD4 to ensure it applies to a wide range of trusts and trust-like arrangements, and requiring Member States to identify characteristics arrangements would have in order to fall within the requirements
- require Member States to establish central beneficial ownership registries for trusts to be available to authorities, obliged entities, any other person who can show a legitimate interests and any person who files a relevant written request, and allowing limited wider access. The addition generally mirrors the provisions relating to corporate entities
- require the Commission to adopt technical specifications for the interconnection of registers
- add a new Article 32a to require Member States to put in place centralised measures to allow retrieval of information on natural or legal persons controlling payment accounts and bank accounts, and safe deposit boxes. Names of holders, beneficial owners, IBAN numbers and account opening and closing details, and lessee information on safe deposit boxes must be held
- strengthen protection for those who report suspicions
- give Member States 20 months to set up the trust BO registries, and 26 to set up the payment account registries.
What should firms do?
Firms are not obliged to do anything at the moment. However, forewarned is forearmed, and it is possible that the UK regulators will decide to introduce some of these reforms (or something akin to them) before the due implementation date, and even if the UK will not legally need to implement MID5 at all. Additionally, some of the MLD5 reforms will to some extent merely reflect developing risks which firms may pick up and wish to control as part of their risk-based procedures in any event.
To keep up to date with developments in financial crime prevention, subscribe to our regulatory news site FIN.