What does the new EU AML package mean for your organisation?

Harmonisation in legislation on money laundering and terrorist financing

Publication
28 Oct 2024

The new package of European legislation to prevent money laundering and terrorist financing (AML/CFT), which entered into force this year, aims to strengthen and harmonise existing AML/CFT legislation across member states. Thomas Rijneveld, who works for PwC clients in the financial sector, outlines what is changing and what organisations can do to prepare until the package becomes applicable.

‘The AML/CFT package has been in development for some time’, says Rijneveld. ‘With the recent clarification of the content and timelines for the transition, financial service providers and other entities falling within the scope of the AML/CFT package can carefully consider the steps they will take.’

The AML package includes the introduction of the first AML/CFT-related EU regulation and a new AML/CFT directive to improve harmonisation between member states. This harmonisation will be accompanied by a comprehensive overhaul of the EU’s existing AML/CFT supervision and enforcement framework. Furthermore, a new European Anti-Money Laundering Authority (AMLA) is being established, expected to become operational in 2025 and to begin direct supervision of selected financial institutions in 2026.

Anti-Money Laundering Authority

The AMLA is the cornerstone of the reformed EU anti-money laundering framework. The supervisory authority, to be established in Frankfurt, will have direct and indirect supervisory and enforcement powers and a coordinating role for all national AML/CFT supervisors in the EU (also outside the financial services sector).

Some of the main responsibilities of AMLA are:

Direct supervision of selected obliged entities
Groups and entities that represent a high ML/TF risk in several member states, will be subject to direct oversight of AMLA-led joint supervisory teams rather than the respective NCA. In the first selection process this will amount to up to forthy groups and entities. The list of financial institutions subject to direct supervision is to be comprehensively evaluated every three years. Non-selected and non-financial obliged entities will be subject to indirect oversight whereby AMLA will monitor and coordinate the relevant NCAs.
Rulemaking powers
AMLA will be entrusted with the creation of regulatory technical standards that specify how obliged entities should manage money laundering and terrorist financing (ML/TF) risks. Furthermore, AMLA will draft Implementing Technical Standards to further standardise the application of European AML/CFT legislation, and issue guidelines or recommendations to obliged entities, national supervisors or FIUs.

EU AML Regulation (AMLR)

The first of its kind as a European AML/CFT regulation, the AMLR will replace the fourth and fifth AML directives, aiming to increase harmonisation between member states through its direct applicability. The AMLR will create uniformity of application and consistency of requirements between member states.

Main changes that the AMLR will bring about include

Obliged entities: The AMLR expands the list of obliged entities. It will include most of the crypto sector, professional football clubs, and traders of high value goods and cultural goods. These groups were added because they are exposed to risks of money laundering and thus play an important role in detecting suspicious activities.
Beneficial ownership: The AMLR harmonises the definition and threshold for beneficial ownership to include both ownership and control for all member states, setting the threshold at (rather than over) 25 per cent.
PEPs: The AMLR establishes the obligation to define the list of functions to be conferred PEP status (Politically Exposed Person) in each jurisdiction. The Commission is empowered to adopt, by means of an implementing act, the establishment and communication of the national lists of prominent public functions. The national lists will identify common additional categories of prominent public functions.
High-risk third countries: The AMLR introduces additional countermeasures to combat EU threats. When a Member State identifies a specific risk posed by a third party that is not addressed by the Commission's countermeasures, it may require obliged entities established in its territory to apply specific additional countermeasures to mitigate the specific risks stemming from that third country.
Cash payment limit: The AMLR introduces a ban on cash payments above a limit of ten thousand euros , with member states free to lower this limit further. Although it is uncertain whether this will be implemented, the legislative proposal ‘Plan of approach to money laundering’ includes a reduction of the limit to three thousand euros in the Netherlands.

In addition to the provisions above, the AMLR will also introduce new measures, such as Enhanced Due Diligence (EDD) measures for crypto-asset service providers and for credit and financial institutions. The AMLR includes new requirements for CDD, such as the frequency of updating customer information shall be based on the risk posed by the business relationship and shall in any case not exceed one year for higher risk customers and five years for all other customers.

EU sixth AML Directive (AMLD6)

The sixth Anti-Money Laundering Directive contains AML-Rules that could not be properly included in the regulation as they require national transposition. These amendments relate to sanctions, powers, and administrative steps regarding national competent authorities (NCA) and financial intelligence units (FIUs) in member states.

Some of the highlights of the AMLD6 can be summarised as follows:

FIU responsibilities: The role of FIU’s will be strengthened by various means, this includes but is not limited to the following topics. FIU’s will gain swift and direct access to financial, administrative and law enforcement information (e.g. Tax information and information on funds). In addition, AMLD6 enables enhanced cross border collaboration between member states’ FIU’s when there are complicated cross border cases, the FIU.net system will be upgraded to ensure the national FIU's can quickly distribute cross border reports.
Enhanced rules for beneficial ownership registers: The data provided to the central beneficial ownership register needs to be verified (e.g. authenticity and up to date nature of information). The verification is done by the authority in charge of the register, in The Netherlands this is the Kamer van Koophandel. Any entities or arrangements linked to individuals or entities under targeted financial sanctions will be marked. The directive empowers authorities in charge of the registers to conduct inspections at the premises of registered legal entities if there are doubts about the accuracy of the information they possess. Furthermore, the agreement specifies that, apart from supervisory bodies, public authorities, and obligated entities, individuals from the public with a genuine interest, such as the press and civil society, may also access the registers.
Confirmed relevance of risk assessment: The Commission will conduct an EU-level evaluation of money laundering and terrorist financing risks, issuing recommendations to member states regarding necessary measures. Additionally, member states will conduct their own risk assessments domestically, pledging to actively address the risks identified in these evaluations.

When will the regulation and directive enter into force?

The AMLR will apply from mid-2027. The AMLD must be transposed by each of the member states within three years, with articles concerning the availability of the UBO register and the amendments to Directive (EU) 2015/849 coming into force earlier.

A significant part of the legal obligations for obliged institutions will come into effect through the European AMLR. It is therefore expected that a significant part of the Dutch Anti-Money Laundering and Terrorist Financing Act (Wwft) will be repealed.

What does the AML package mean for your organisation?

The AML package, with its extensive scope of legal obligations and changing supervisory regime, will have a significant impact on obliged organisations.

It is important that your processes, systems, and control measures are set up to ensure timely compliance with the AML package. At the same time, this compliance must be accompanied by a risk-based approach tailored to your organisation.

With our deep market knowledge and extensive experience in operational transformation, we can help your organisation become compliant in a way that aligns with the AML/CFT risks your organisation faces. Moreover, we can assist with taking steps that your organisation can already take now, ensuring a smooth transition until the package fully applies in mid-2027.

Your organisation can already take these steps now

Appointing a member of the board of directors or senior management to comply with the obligations of the AML/CFT package, incorporating tone-at-the-top and AML/CFT considerations into the company's strategic direction.
Revising existing AML/CFT policy documents, training materials, as well as internal controls, customer inquiries, and regulatory reporting.
Updating the AML/CFT-related information you provide for customer due diligence on your entity by other obliged entities.
Thoroughly reviewing and updating the AML/CFT risk analysis (SIRA), including risk assessments of outsourcing, and ensuring that reliance agreements with other obliged entities and/or service providers are updated where necessary.