4th Money Laundering Directive – What you need to know

The European Union’s Fourth Anti-Money Laundering Directive came into force on 26th June 2017.

The Directive includes some fundamental changes to the anti-money laundering procedures, including changes to CDD, a central register for beneficial owners and a focus on risk assessments. However, with proper preparation and training, the transition to the new regime should be seamless for most firms.

4th Money Laundering Directive

The 4th money laundering directive replaced the third money laundering directive (3MLD) and the 2006 iteration of the Fund Transfer Regulation, which were implemented in UK law through the Money Laundering Regulations 2007, the Proceeds of Crime Act 2002 and the Terrorism Act 2000. The Fourth Money Laundering Directive updated and expanded anti-money laundering laws across the European Union. Unlike GDPR, which automatically came into force, updating the AML regime required each national parliament to transpose the regulations into local law through local acts and regulations within a two year period. Most of the changes from 3MLD to 4MLD were in the CDD section, with a switch from the prescriptive approach of the third directive (particularly for simplified and enhanced due diligence) to the risk-based approach of the fourth directive

What has changed?

Changes to CDD

  • CDD is required by anyone trading goods in cash with a value over €10,000 (previous value was €15,000)
  • CDD by casinos where customers wish to place a stake or collect winnings of at least €2,000

Enhanced measures for local PEPs

The rules for politically-exposed persons (“PEPs”) are no longer limited to persons outside the UK. Local PEPs will now be subject to the same scrutiny as foreign PEPs. The Directive adds a note chastising firms for refusing the business of a PEP:

The requirements relating to politically exposed persons are of a preventive and not criminal nature, and should not be interpreted as stigmatising politically exposed persons as being involved in criminal activity. Refusing a business relationship with a person simply on the basis of the determination that he or she is a politically exposed person is contrary to the letter and spirit of this Directive and of the revised FATF Recommendations.

Central register of beneficial ownership

Under the Directive, corporates and other legal entities will be required to maintain accurate and current information on their beneficial ownership. They must provide that information to the government. That information on beneficial ownership will be held by each member state in a central register that will be accessible to banks, law firms and “any person or organisation that can demonstrate a legitimate interest”. These interconnected registers will contain the names, dates of birth, nationality, country of residence and the nature and extent of the beneficial owners’ interests in the transaction.

This is potentially good news for law firms. A primary requirement, and administrative burden of CDD at the moment is identifying beneficial owners. Access to a pan-European register will likely make CDD research much easier.

No automatic exemption from enhanced CDD

Under the Third Directive and the current Money Laundering Regulations, firms are able to automatically apply simplified CDD in the following circumstances:

  • Credit or financial institutions subject to the requirements of the Money Laundering Directive or similarly compliant local legislation
  • Companies whose securities are listed on a regulated market subject to specified disclosure obligations
  • UK public authorities
  • UK pension schemes

Under the Fourth Directive, firms can use these circumstances as part of a justification for simplified due diligence after conducting a risk analysis. However, the exemption from enhanced CDD is not automatic, and the decision to apply simplified CDD should be backed up by documentation. The Law Society has raised concerns that some of these situations will create an undue burden on firms, particularly in the case of pooled client accounts. The Law Society is lobbying this issue with HM Treasury.

Emphasis on a risk-based approach

The word risk appears 149 times in the Fourth Directive, compared with 36 times in the Third Directive and 13 times in the Money Laundering Regulations 2007. This is not a coincidence. The Directive puts a heavy emphasis on employing a risk-based approach to money laundering at every level. It directs states to commission national risk assessments, firms to develop risk-based policies, and practitioners to conduct CDD in a risk-based manner.

The current UK regulations already incorporate a risk-based approach, but the new Directive goes even further and it seems to require more documentation of the risk assessment. For law firms this means:

  • Requirement to demonstrate and document that risk assessments are conducted and kept up to date, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels
  • Written money laundering policies and procedures that take the firm’s risk assessment into consideration
  • Internal audit teams, where necessary, to test the internal policies, controls and procedures
  • Training on how to conduct a risk-based CDD and ongoing monitoring

Expands beyond the EU borders

Firms with majority-owned subsidiaries located in other countries where the minimum AML requirements are less strict than those of the Member State must implement the requirements of the Member State at those subsidiaries.

What does the fourth money laundering directive mean for the UK?

The Fourth Directive was transposed into UK as the Money Laundering Regulations 2017.

Some of the key changes that the Fourth Money Laundering Directive present are:

  • The ultimate beneficial owner of a corporate client will need to be determined and due diligence checks performed.
  • There will no longer be automatic exemptions from conducting client due diligence.
  • The rules for politically-exposed persons (“PEPs”) are no longer limited to those outside the UK.
  • Third party equivalence – the Fourth Directive has rescinded the “white list” and country-specific risk determinations must be made for any jurisdiction outside of the EU.

Our publication on the changes under the Fourth Money Laundering Directive expands further on what organisations and law firms need to do to be compliant.

VinciWorks’ anti-money laundering mini course

In light of the changes under the Money Laundering Regulations 2017, VinciWorks has created a free short anti-money laundering course that gives a clear overview of the changes. We have created the course in two formats to allow users to give the course as well as pass on to staff to learn the course in their own time. Management teams have the ability to train their staff on the changes to money laundering regulations themselves with free presentation slides that can easily be edited for firms that wish to apply their own terminology, policies and guidance. We have also created a SCORM version of the course for staff to take in their own time. You can download a free guide to uploading a SCORM course to the VinciWorks Learning Management System here.

Download now

Free webinar recording on Fourth Money Laundering Directive

To help firms prepare for the Fourth Directive, VinciWorks hosted a webinar with Anti-Money Laundering Expert Amy Bell. Amy is chair of the Law Society’s Money Laundering Task Force and the author of the Law Society’s e-learning and Toolkit on the Bribery Act. You can view a recording of this webinar by clicking the button below.

Watch now

Anti-money laundering e-learning training

VinciWorks provides online training on anti-money laundering that is compliant with the Fourth Directive. Our course explains what money laundering is and raises awareness. By taking the training, users will learn to recognise transactions or activities which may be related to money laundering or terrorist financing through real life application of anti-money laundering procedures.

Note: As of April 2017, all VinciWorks’ anti-money laundering courses have been updated to reflect the Fourth Directive. You can learn more about VinciWorks’ online training suite, which includes our latest release, AML: Know Your Risk and demo the course for free here. We have also created an anti-money laundering resource page that is fully compliant with the Fourth Directive. The page includes on-demand webinars, policy templates, guides and more to help organisations comply with the latest money laundering regulations.

Other resources

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.