Legal Framework for Money Laundering in Europe

Intoduction

An estimated two to five percent of the Global Gross Domestic Product ("GDP") in one year is the result of money laundering. Money launderers prefer countries with solid financial markets and financial services, high GDP, high exports and imports, and a rather lax anti-money laundering regime and low fines.

Europol has estimated that around one percent of the EU's annual GDP is "detected as being involved in suspect financial activity". According to a study from the European Parliament dated 2017, this issue poses a particular threat to large European countries. The United Kingdom tops the list with an estimated total of €282 billion laundered annually, followed by France, Belgium, Germany, Luxembourg, the Netherlands, and Austria. Compared to their GDP, the Baltic States, Luxembourg and Cyprus have a disproportionate volume of money laundering. According to Europol's European Financial and Economic Crime Threat Assessment for 2023, money laundering is a crucial activity for organised crime, enabled by globalisation and the digitalisation of the financial sector. Almost 70 percent of criminal networks acting in the European Union perform basic money laundering techniques, and about 30 percent operate with highly developed money laundering networks and/or underground banking systems.

In recent years, the competent local authorities have published general guidelines to inform the obliged entities about the applicable due diligence and organisational requirements. As a further step, several thousand audits have been performed in the member states to evaluate the status quo and pave the way for further action against those who do not comply with the requirements of the AML laws. The most recent reports demonstrate that administrative fines have been levied against traders in goods. The most common reasons have been:

The official identification document was not fully copied during the customer identification process.
The obliged entity cannot prove that it has obtained appropriate confirmation whether or not the contracting party is acting on behalf of a beneficial owner.
The obliged entity cannot prove that it has verified the obtained customer data on the basis of an appropriate official identification document.
The obliged entity has not submitted the suspicious activity report completely, correctly and in due course.

Following a number of prominent cases of alleged money laundering taking place at EU credit institutions, the European Commission adopted a set of documents in July 2019 analysing the effectiveness and efficiency of the EU Anti-Money Laundering/Countering the Financing of Terrorism ("AML/CFT") regime as it stood at that time, and concluding that reforms were necessary.

On 7 May 2020, the European Commission presented an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing and defined six priorities or pillars in order to strengthen the EU's rules on combating money laundering and terrorist financing:

Ensuring effective implementation of the existing EU AML/CFT framework;
Establishing an EU single rulebook on AML/CFT;
Bringing about EU-level AML/CFT supervision;
Establishing a support and cooperation mechanism for Financial Intelligence Units ("FIUs");
Enforcing EU-level criminal law provisions and information exchange;
Strengthening the international dimension of the EU AML/CTF framework.

The AML Package 2021

On 20 July 2021, the European Commission introduced its Anti-Money Laundering Package ("AML Package"; https://finance.ec.europa.eu/publications/anti-money-laundering-and-countering-financing-terrorism-legislative-package_en) that includes the following legislative proposals:

A Regulation on AML/CFT ("AMLR"), containing directly-applicable rules, for example in the areas of Customer Due Diligence and Beneficial Ownership;
A sixth Directive on AML/CFT ("AMLD6"), replacing the existing Directive 2015/849/EU (AMLD4 as amended by AMLD5), containing provisions that will be transposed into national law, such as rules on national supervisors and Financial Intelligence Units in member states;
A Regulation establishing a new EU AML/CFT Authority ("AMLA") in the form of a decentralised EU regulatory agency; and
A revision of the 2015 Regulation on Transfers of Funds to trace transfers of crypto-assets (Regulation 2015/847/EU).

The AML package is being discussed by the European Parliament and Council. The European Commission stated that it looks forward to a speedy legislative process. Following announcement dated 18 January 2024 that the European Parliament and Council had reached provisional political agreement on the texts of the new AMLR and AMLD6, the final compromise texts were released on 12 February 2024. The Council and the Parliament will now have to formally adopt the texts before they are published in the EU's Official Journal and enter into force.

Obliged Entities under AML Laws

It is a widespread misconception that only financial institutions and the related industry must undertake appropriate measures in the European Union to comply with AML laws. So-called traders in goods are subject to the same legal requirements if these persons are dealing in luxury goods such as precious metals, precious stones, jewellers, horologists and goldsmiths and other high value goods, where such trading is either a regular or a principal professional activity. The term "value goods" has been expanded to motor vehicles, watercrafts and aircrafts in the higher market segments given their high value and transportability. Therefore, traders of such goods should be subject to AML/CFT requirements.

Other affected parties are lawyers, auditors, tax advisors, real estate agents (including when acting as intermediaries in the letting of immovable property), casinos, art traders (i.e. persons storing, trading or acting as intermediaries in the trade of works of art), operators and brokers of online gambling platforms, custodian wallet providers, and virtual currency exchange service providers.

Additionally, professional football clubs and agents shall become obliged entities under the AMLR. These rules shall apply after five years upon entry into force, as opposed to three years for the other obliged entities.

Cash Payments

AMLR sets a EU-wide limit to large cash payments of €10,000. Member states should be able to adopt lower thresholds and further stricter provisions to the extent that they pursue legitimate objectives in the public interest. Given that the AML/CFT framework is based on the regulation of the business economy, the limit should not apply to payments between natural persons who are not acting in a professional function. To ensure that the measures are proportionate with the risks posed by transactions of a value lower than €10,000, such measures should be limited to the identification and verification of the customer and the beneficial owner when carrying out occasional transactions in cash of at least €3,000. This provision does not relieve the obliged entity from conducting all customer due diligence measures whenever there is a suspicion of money laundering or terrorist financing, or from reporting suspicious transactions to the FIU.

Criminal and Administrative Liability

The member states must ensure that obliged entities can be held liable for breaches of AML laws. Furthermore, the member states have the right to provide for and impose penalties under criminal law and must lay down rules on administrative measures to ensure that their competent authorities may enforce AML rules and regulations. In addition, member states must ensure that their competent authorities promptly report any identified criminal offences to their law enforcement authorities.

With regard to criminal liability, some member states previously excluded ''self-laundering'' from money laundering as a criminal offence. The reason for the previous exclusion was that if, for example, a person stole money and was prosecuted for both theft and money laundering, this was seen as an inadmissible double punishment. However, under strong pressure from the Financial Action Task Force on Money Laundering ("FATF"), all countries have meanwhile amended their laws, declaring self-laundering a money laundering crime. Germany was the last country to amend its laws accordingly in November 2015.

Administrative sanctions and measures apply to breaches on the part of obliged entities that are serious, repeated, systematic, or a combination thereof of the requirements for:

Customer due diligence;
Suspicious transaction reporting;
Record-keeping; and
Internal control measures.

Member states must ensure that in these cases, the administrative sanctions and measures include at least:

A public statement which identifies the natural or legal person and the nature of the breach;
An order requiring the natural or legal person to cease the conduct and to desist from repeating that conduct;
Withdrawal or suspension of the authorisation where an obliged entity is subject to an authorisation;
A temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities;
Maximum administrative fines of at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least €1 million.

Supervision of AML Laws and AMLA

Member states are required to appoint competent authorities to supervise obliged entities effectively and, in particular, to monitor the adherence and take the measures necessary to ensure compliance with the AML laws. In this context, it is important that member states provide the competent authorities with adequate powers of enforcement, including the power to demand any information relevant to monitoring compliance and performing external audits.

More specifically, the standard under European AML rules requires that the competent authorities have on-site and off-site access to all relevant information on particular domestic and international risks associated with customers, products, and services of the obliged entities. Regarding the frequency and intensity of on-site and off-site supervision, competent authorities will consider the individual risk profile of obliged entities and the risks of money laundering and terrorist financing in the respective member state.

Moving forward, AMLA will directly supervise up to 40 financial institutions deemed to pose the biggest risk of money laundering or terrorist financing. This shall include at least one institution from each member state of the European Union. AMLA will define the selection criteria for the direct supervision of financial entities separately. Direct supervision will be conducted by so called joint supervisory teams led by AMLA and including staff from national AML authorities. AMLA will coordinate and assist national supervisory authorities to increase their effectiveness in enforcing the single rulebook and ensuring homogeneous, high-quality supervisory standards, approaches and risk assessment methodologies. Moreover, AMLA will provide stable hosting of the FIU.net platform and enable, inter alia, a development of common reporting templates and standards to be used by EU FIUs. Moreover, AMLA will be entrusted to adopt regulatory technical standards and implement technical standards and issue guidelines or recommendations addressed to obliged entities, national supervisors or FIUs.

In addition, all existing FIUs shall be increasingly involved in the fight against money laundering. Under AMLD6 FIUs shall have immediate and direct access to financial, administrative and law enforcement information.

According to the announcement of 22 February 2024, Frankfurt has been chosen by Parliament and Council as the seat of AMLA. AMLA is expected to begin operations mid-2025 with over 400 staff members and to start direct supervision a little later, once AMLD6 is implemented and the new legal framework enters into force.

Obligations under AML Laws

Compliance with the requirements of the AML laws mainly consists of satisfying two high-level obligations:

Organisational requirements and
Customer due diligence requirements.

Risk Analysis

Obliged entities are required to rate individual business relationships and transactions in light of their respective money laundering risk (risk-based approach). The results of the risk assessment must be documented. It should describe the potential risks associated with the business of the obliged entity, which can be divided into the following categories:

Company risks;
Customer risks;
Product risks;
Transactional risk; and
Geographic risks.

The risk factors will be set out in Annexes II and III of the AMLR. As soon as the potential risks have been determined and described, it is the task of the obliged entity to determine to what extent they may actually materialise. Depending on the risk levels (i.e. risk-based approach), preventive measures and safeguards may be implemented. The risk assessment must also be updated at least once a year in order to ensure the effectiveness of the preventive measures and safeguards. By two years after the date of application of AMLR, AMLA shall issue guidelines on risk factors to be taken into account by obliged entities when entering into business relationships or carrying out occasional transactions.

Compliance Manager and Compliance Officer

The essential element of compliance with AML laws is an appropriate internal organisation. Even if this is only required for certain entities (where appropriate with regard to the size and nature of the business), the appointment of a compliance manager (one member of the management body in its management function who shall be responsible to ensure compliance with AMLR and AMLD6) and a compliance officer is required to bear responsibility for the development of internal policies, procedures, and controls. These include risk analysis and risk management measures, customer due diligence, reporting, record keeping, internal control, and employee screening. The MLRO is also entitled to report suspicious events to the FIU. The compliance officer shall be appointed by the management body in its management function and with sufficiently high hierarchical standing, who shall be responsible for the policies, procedures and controls in the day-to-day operation of the obliged entity's AML rules, including in relation to the implementation of targeted financial sanctions, and shall be a contact point for competent authorities. The compliance officer shall also be responsible for reporting suspicious transactions to the FIU. The fulfilment of their duties may not lead to any disadvantages in the employment relationship. The clear organisational responsibility for this task is the foundation for compliance with the AML laws.

AML Manual

With the confidential risk assessment in place, the next element of the compliance structure – the AML manual – can be drafted and implemented. The AML manual describes the internal processes and activities to be implemented by the company to ensure compliance with legal requirements. Amongst other matters, the manual includes regulations for customer identification, the document or software system to be used, the escalation process for onboarding politically exposed persons, as well as record keeping and retention requirements and the internal procedure to report suspicious activities to the MLRO and other corporate governance provisions.

AML Policy

Each obliged entity must implement appropriate processes and train employees on the types and current methods of money laundering and terrorist financing. This requirement can be met through an AML policy where each employee receives general information on money laundering and appropriate obligations. The training should be repeated at regular intervals depending on the respective AML risk of the obliged entity; the market standard is an interval of two years. It is also important to document all employees' attendance at the training sessions to ensure compliance with the AML provisions.

Internal Controls

With the AML manual and the AML policy in place, the company and all employees must implement the internal requirements in practice. One of the central tasks is the performance of customer due diligence. More generally, it is important to monitor the business activities and effectiveness of the implemented preventive measures and safeguards.

Central Register of Beneficial Owners

All member states are required to set up a central register of beneficial owners to obtain and store information on beneficial owners. All legal persons under private law and all registered partnerships must collect, hold, and provide beneficial ownership information and communicate this information to the central register. The requirements for beneficial ownership will be streamlined by AMLR. Rules to identify the beneficial owner(s) of corporate and other legal entities will be more detailed and will, therefore, trigger a substantial amount of implantation work for the obliged entities. Beneficial ownership will be defined as "any natural person who ultimately owns or controls a legal entity or express trust or similar legal arrangement, as well as any natural person on whose behalf or for the benefit of whom a transaction or activity is being conducted". According to AMLR "control through an ownership interest" shall mean an ownership of 25 percent plus one of the shares or voting rights or other ownership interest in the corporate entity, including through bearer shareholdings, on every level of ownership. According to the current legal framework of Directive (EU) 2015/849 (AMLD), this threshold only applies at the first level of participation, while a majority of shares or voting rights is generally required at the second or higher level of participation.

Under AMLD6 member states shall ensure that the beneficial ownership information of legal entities and legal arrangements, information on nominee arrangements and information on foreign legal entities and foreign legal arrangements are held in a central register. To ensure that the registers of beneficial ownership information are easily accessible and contain high-quality data, consistent rules on the collection and storing of this information by the registers will be introduced by the member states. Such registers will be required to screen the beneficial ownership information they hold against designations in relation to targeted financial sanctions, both immediately upon such designation and regularly thereafter, in order to detect whether changes in the ownership or control structure of the legal entity or legal arrangement are conducive to risks of evasion of targeted financial sanctions. Entities that are associated or affiliated with persons or entities that are subject to targeted financial sanctions shall be flagged. The entities in charge of the register shall be granted the power to carry out inspections at the institutions, if there are doubts regarding the accuracy of the information made available. There is no need to demonstrate a legitimate interest to access the central register. Public access to beneficial ownership information allows greater scrutiny of information by civil society, including the press or civil society organisations, and contributes to preserving trust in the integrity of business transactions and of the financial system.

Criminal Liabilty

A directive on combating money laundering by criminal law was adopted on 23 October 2018. It lays down minimum rules on criminal liability for money laundering. In particular, the directive harmonises the definitions of money laundering and predicate offences, lays down minimum sanctions, and extends criminal liability to legal persons. As those concepts are now clarified in Union criminal law, it is no longer needed for the Union's AML rules to define money laundering, its predicate offences or terrorist financing. Instead, the AML laws will be fully coherent with the Union's criminal law framework.

Conclusion

In practice, entities must produce three documents based on the market standard to meet AML compliance: a risk analysis, an AML manual, and an AML policy. All three documents must be tailored to their respective business model and the entailing AML risks. The risk-based approach allows an individual set of measures depending on the respective level of risk, i.e. fewer measures in case of lower risks. Most importantly, the documentation provides protection against reputational harm and external challenges by supervisory authorities.

The new AMLR and AMLD6 will, for the first time, exhaustively harmonise rules throughout the EU, closing possible loopholes used by criminals to launder illicit proceeds or finance terrorist activities through the financial system. This will also be relevant for the obliged non-financial entities which will be subject of publication of AMLA aiming to harmonise the applicable AML rules going forward. The new AML rules will trigger implementation projects for all obliged entities, which will comprise a GAP analysis and a programme to close any identified gaps.

Dr. Richard Reimer Partner Hogan Lovells Frankfurt T +49 69 962 36 414 E richard.reimer@hoganlovells.com	Richard Reimer advises financial institutions, FinTechs and other companies on all aspects of financial regulation and compliance, with a particular focus on payments law. Furthermore, Richard advises on regulatory aspects of M&A transactions involving financial institutions (e.g. ownership control proceedings). He has dealt with major investigations in the financial sector and handled the relationship with the financial supervisory authority (BaFin). He is trusted advisor of the Federal Association of Payment and E-Money Institutions and as such involved in all relevant legislative procedures. He is part of the investment fund team and contributes to all regulatory aspects in structuring investments in Germany. Richard leads a team which primarily advises on banking licence proceedings, own funds requirements and compliance projects including whistleblowing systems, anti-money laundering compliance and financial sanctions.

Sarah Wrage, LL.M. Partner Hogan Lovells Frankfurt T +49 69 962 36 421 E sarah.wrage@hoganlovells.com	Sarah Wrage advises German and international banks and financial services institutions as well as other companies on all aspects relating to banking regulatory law, payment services law and investment law. The main focus of her work is to give advice on licensing, capital requirements, duty of care and organisational requirements, compliance, and regulatory implications of transactions. Furthermore, Sarah assists her clients in the implementation of new financial products, particularly in the payment area. In investment law, Sarah primarily offers advice and support to asset management companies, investment fund managers and investors regarding the structuring and setting up of investment funds as well as the permissibility of investments and the distribution of funds.