EU chastises 8 member states on AML even as bank watchdog girds guidelines for gauging fincrime risk

The Skinny:

  • In continuing quest to show strong stance on AML, punish countries that tarry, EU chastises eight member states.
  • The EU Commission sent letters to Cyprus, Hungary, the Netherlands, Portugal, Romania, Slovakia, Slovenia and Spain for not transposing the EU 5th AML Directive into law by January.
  • In lock step, the European Banking Authority has released a public consultation on revised money laundering and terrorist financing risk factor guidelines to help banks better tune fincrime risk assessments – and aid examiners in spotting weak programs.

By Brian Monroe
bmonroe@acfcs.org
February 28, 2020

The European Union is formally threatening Cyprus, the Netherlands, Spain and five other countries for tarrying on implementing updated financial crime compliance defenses – even as a banking watchdog strengthens guidelines on how institutions broadly calculate money laundering risks.

The European Union Commission has sent letters of formal notice to Cyprus, Hungary, the Netherlands, Portugal, Romania, Slovakia, Slovenia and Spain for not having notified any implementation measures for the EU’s Fifth Anti-Money Laundering Directive (5th AML) – rules updated more than two years ago with a January 2020 deadline. 

The 27 EU states were required to enact by January tighter rules to counter dirty-money risks in a wide range of sectors, including cryptocurrency exchanges, prepaid cards and shell companies.

The rules were proposed in 2016 by the EU Commission in the wake of the Paris terrorist attacks which killed more than 130 people. The clampdown was meant to hamper terrorist funding and other financial crimes, according to Reuters.

“Anti-money laundering rules are instrumental in the fight against money laundering and terrorism financing,” the EU said in a statement. “Recent money laundering scandals have revealed the need for stricter rules at EU level.”

The scandals the EU is referring to have their communal epicenter tied to Danske Bank, which is under investigation in several countries including the United States related to more than 200 billion euros ($220 billion) of transactions through its branch in Estonia between 2007 and 2015, many of which the bank has openly admitted were suspicious in nature and tied to higher risk regions, including Russia.

“Legislative gaps occurring in one Member State have an impact on the EU as a whole,” the EU commission wrote.

All Member States had to implement the rules of the 5th AML Directive by January 10. Currently, these named countries have two months to make the needed improvements or they will be sent reasoned opinions.

While this may seem a relatively muted response for a country failing to implement AML obligations, that is only a few steps removed from the commission sending these countries before the EU Court of Justice, which could decide the regions must pay daily fines until their respective regimes are dubbed compliant.

EBA updates fincrime risk ranking expectations

The European Banking Authority (EBA), which had previously left much of the work on AML to the EU Commission, EU Parliament and member state regulatory groups, has been tasked in recent months with throwing its weight into the fincrime fray.

The EBA this month issued a public consultation on revised money laundering and terrorist financing (ML/TF) risk factors Guidelines as part of a broader communication, coordination and cooperation effort on AML and counter-financing of terrorism (CFT) issues. The consultation runs until May 5, 2020.

This update builds on changes to the EU Anti Money Laundering and Counter Terrorism Financing (AML/CFT) legal framework and new ML/TF risks, including those identified by the EBA’s overall implementation reviews of financial institutions, which noted, overall, examiners must focus less on minor program issues and better focus on large-scale failures.

These refreshed fincrime risk guidelines, addressed to banks and regulators, are “central to the EBA’s work to lead, coordinate and monitor the fight against money laundering and terrorist financing,” the authority said in a statement.

Since January 1, 2020, the EBA has “had an enhanced role in the countering of money laundering and terrorism financing and will be responsible for developing regulatory and technical standards and other guidelines and recommendations for preventing AML/CTF risks, as well as collecting information on breaches of AML/CTF rules,” according to a missive to clients by law firm Shearman & Sterling.

The three European Supervisory Authorities jointly developed Risk Factor Guidelines, but these will now be the EBA’s sole mandate to update, according to the report.

Some of the changes made by the 5MLD to the EU’s AML/CFT requirements are:

  • The scope of “obliged entities” has been extended to include providers of exchange services between virtual and fiat currencies, as well as custodian wallet providers.
  • Harmonization of the application of enhanced customer due diligence for third countries that are determined by the European Commission to be high-risk countries.
  • Reduction of the thresholds under which obliged entities are exempt from applying certain CDD measures to prepaid cards.
  • Enhanced access to information on beneficial ownership across the EU and improved transparency in the ownership of companies and trusts.

EU regulators too quick to tick

On the same day as the oversight body updated its fincrime risk expectations, the EBA also published a second report assessing the approach by national regulators to uncover gaps in supervision of AML and CFT risks.  

The second EBA report offered critical recommendations for improvements to stronger supervisory approaches, including better domestic and international information sharing and shift the exam focus to effectiveness, rather than just technical compliance, according to Shearman.

The EBA report highlights that national regulators need to “focus more on assessing the systems and controls within a firm to identify, assess and monitor AML/CFT risks, instead of adopting a ‘tick box’ approach, according to the law firm.

The EBA also considers that national regulators could be “more dissuasive and proportionate when imposing remedial measures to correct deficiencies in a firm’s systems and controls,” a clear nod to the AML and sanctions penalties handed out by the U.S. and other jurisdictions that have soared into the billions of dollars.

Even so, the EBA is attempting to build a foundation for what banks should do and regulators expect with its updated risk guidance, which ushers in more granularity on how institutions can ratchet up customer due diligence efforts when they encounter higher perceived illicit finance risk.

In the eyes of many U.S. regulators, the CDD and know-your-customer (KYC) efforts of a bank form the foundation of the more data-driven risk assessment – which typically drops customers in a low, medium or high slot – and that ranking further sensitizes an institution’s automated transaction monitoring system.

The guidance should put top AML officers on notice that regional examiners will more rigorously grade the CDD initiatives when analyzing the accuracy and depth of related bank risk assessments.

In tandem, in its revised risk guidance, the EBA is proposing key changes on compliance with the provisions on enhanced CDD measures related to high-risk third countries – think regions known to be strongholds for organized criminal groups, or regions rife with corruption and at or near terror hot spots.

As well, the guidance adds new sectoral guidelines related to the oversight and processes related to crowdfunding platforms, corporate finance, payment initiation services providers (PISPs) and account information service providers (AISPs) and for firms providing activities of currency exchanges offices.

The revised Guidelines also provide more precise details on terrorist financing risk factors and CDD measures, including on the identification of beneficial ownership structures and the use of innovative solutions to better identify and verify the identity of customers.

The proposed changes will “significantly strengthen Europe’s AML/CFT defenses and foster greater convergence of supervisory practices in areas where supervisory effectiveness has been hampered, so far, by divergent approaches in the implementation of the same European legal requirements,” the EBA said, (via the EU Commission) and (via the European Banking Authority). 

Monroe’s Musings: The moves by the EU commission to come down harder on recalcitrant regimes and the EBA attempting to better firm up the foundation of many bank AML programs, while putting more heat on examiners, is not surprising.

The Danske Bank money laundering scandal and a litany of related probes have resulted in Estonia booting Danske out of the country and has spawned aggressive investigations into banks in the Nordic and Baltic regions, the U.S. and Europe, particularly Swedbank and Deutsche Bank, among others.

At the supranational level, the Danske scandal has caused European Union financial oversight bodies and regulators, at the country and bloc level, to engage in a game of naming, blaming and shaming, with accusations and recriminations at all levels on how and why the Danske Bank scandal could occur in the first place and fester for so long under the noses of examiners.

In recent months, the EU has pushed to create a dedicated pan-bloc AML oversight and enforcement body that would put regional regulators in the hot seat and better attempt to see fincrime vulnerabilities happening across multiple member states – the modus operandi of large, sophisticated organized criminal groups, corrupt oligarchs and terror networks.

The message to banks in Europe is clear: You had better get your AML house in order because more regulators will be looking more aggressively at your program and if they don’t like what they see, be prepared to react, and act, quickly – or face harsher sanctions and less leeway than in years past.