Article 8 min

6AMLD — Establishing effective compliance programs for the EU

6AMLD
6AMLD

Some organizations view fines or sanctions for money laundering as a cost of doing business. However, under the EU’s 6th Anti-Money Laundering Directive (6AMLD), employees and officials of organizations — and entities working on behalf of those organizations — can now be held criminally liable. Negligence or irresponsibility when it comes to enabling the flow of illicit funds, can result in individuals, as well as corporations, being criminally charged and/or fined.

As Trulioo COO Zac Cohen states:

Where the entity may have protected the individual or vice versa in the past, the market is now signaling that controls need to be tightened, both internally and externally, to ensure that the issue isn’t being propagated.

Obliged entities, such as EU banks, financial institutions, money service businesses, and gaming companies, have until June 3, 2021, to enact 6AMLD compliance procedures. While 6AMLD is consistent with the spirit of both 4AMLD and 5AMLD, it will require businesses to review their AML monitoring processes and identify areas for improvement within their customer onboarding processes and other business operations.

Predicate offenses — widening the scope of money laundering

One goal of the Directive is to ensure the definition is consistent across the EU and covers all significant activities that contribute to money laundering. Under 6AMLD, any major crime that includes a financial component also constitutes money laundering. There are 22 predicate offenses listed in the Directive, including racketeering, terrorism, human trafficking, fraud and corruption. Financial crimes like insider trading and market manipulation are also predicate offenses, as are more recent forms of illegal activity like environmental crime and cybercrime.

By widening the scope of what money laundering entails, law enforcement will have more tools to go after various criminal activities. The option to charge perpetrators and all those that assist their actions with money laundering offenses can simplify criminal cases.

All compliance teams should receive proper training in what these predicate offenses are and how to detect and report them.

Aiding and abetting or passively avoiding responsibilities?

It’s important to understand that under 6AMLD, money laundering laws are not limited to criminals and their associates. Instead, financial service providers, accountants, tax advisors and other professional services who aid and abet criminals in laundering their illicit gains are also potentially criminally liable and face serious consequences.

When property is derived from illegal activity, the Directive states it’s a criminal offense to:

  • Convert or transfer that property
  • Conceal or disguise ownership
  • Acquire, possess or use that property

EU member states may take further measures to criminalize if the “offender suspected or ought to have known that the property was derived from criminal activity.”

There’s also a clause in 6AMLD that anyone with decision or control powers of a legal entity can be held liable for any offences. The Directive sees no distinction between directly benefiting from money laundering and those overtly aiding and abetting it.

How these clauses will be enforced in situations where there is no intentional act or direct, provable evidence of money laundering will be one of the key questions as 6AMLD progresses.

6AMLD - Due diligence, effective systems and being responsible

Due diligence, effective systems and being responsible

Will regulators and the legal system take a reasonable approach to criminal liability regarding unintentional money laundering? Will enforcement only occur if the action is reckless or seriously negligent? As Nicola Sharp of legal firm Rahman Ravelli points out, “6AMLD fails to make it clear what the criteria are under which directors, trustees or money laundering reporting officers might be open to criminal prosecution under an ambiguous transposition of the Directive by member states.”

Other Directives have pointed to deploying a risk-based approach, where the risk control measures are commensurate with the risk level. However, that approach implies that some risk is unavoidable on a practical level, or as Sharp says, “instances of money laundering are likely to happen despite the rigor of any controls in place at financial institutions and other such firms.”

Until clarity on the matter is fully available, compliance teams can endeavor to create robust, adaptable, effective due diligence measures that will help serve them well, regardless of specific legal requirements.

Know Your Customer (KYC)

The first step to an effective AML program is understanding who your customer is and the risk they pose. While these Know Your Customer (KYC) procedures are mandated on obliged entities, some organizations see these as tick-box exercises.

The first step is the Customer Identification Program, procedures to identify the individual. The processes to carry this out can vary widely, depending on the number and quality of data sources, the number and types of identity verifications performed and the scope of data intelligence applied in the system.

Customer Due Diligence (CDD) measures can also vary widely. On initial CDD analysis, various factors can indicate the need for Enhanced Due Diligence (EDD), for example:

  • Person’s location
  • Their occupation
  • Types of transactions
  • Expected patterns of activity in terms of transaction types, dollar values and frequency
  • Expected methods of payment

Industry best practice is to determine what criteria to use for EDD and ensure those standards are met on an ongoing basis and examined regularly for potential updates.

Know your business customers

Just as it’s vital to know individual customers, knowing your business customers, suppliers and other third parties is equally important. These business relationships can involve significant additional risk, so the level of due diligence required is often substantially more.

While the regulations for business verification are becoming more rigorous, these procedures are not entirely new. Since 2017, the requirements for onboarding business customers, as stated in 4AMLD, have included:

Identifying the beneficial owner and taking reasonable measures to verify that person’s identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer.

Financial institutions (FIs) always needed to look at business documents. They’d want an applicant to come in with all their business records. They’d pore over the documents manually, make copies, make notes, pass them on to other departments, get responses, ask the applicant back in for clarification, and around the merry-go-round it went.

This manual-intensive process is slow, expensive and frustrating, both for the FIs and business applicants. For example, a Forrester Consulting survey found that it cost up to $25,000 (~ €21,000) and it took up to 34 weeks to go through the AML and KYC onboarding process. While that survey dates back to 2016, according to an article in Finextra, it takes 3-4 months to onboard a corporate banking customer. The article states that lengthy delays lead to application abandonment and, as a result, “in 2019, it was deduced that the global commercial and business banking market lost $3.3 trillion.”

A noticeable trend in the market is to examine ways to automate business verification processes and implement artificial intelligence to:

  • Save time and resources
  • Improve the business customer onboarding experience
  • Help ensure 6AMLD compliance
  • Create a more adaptable, scalable compliance solution
6AMLD - Confidence in compliance

Confidence in compliance

In light of upcoming 6AMLD requirements, many organizations are currently examining all their compliance workflows. It’s not merely about meeting the June 3 deadline, as this is only one step for the evolving nature of AML and KYC compliance. For example, a new single standalone AML supervisory body is being planned by the EU and further regulatory changes are expected.

Faced with this level of complexity and change, forward-looking organizations can take a broader view of compliance and operational best practices and adopt new processes and technologies to stay ahead.

As Cohen says, AML and KYC “must never be a one and done solution; it should be layered and follow the customer lifecycle from end-to-end.”

By ensuring they have the flexibility to adapt to changing regulatory requirements quickly and easily, these organizations can ensure they are first to market with new products and services while simultaneously minimizing risk. What’s more, having good compliance processes can make it far easier to enter new markets in a fast and seamless way, rather than being held up by regulatory bodies and red tape.

As Derville Rowland, Director General of Financial Conduct, Central Bank of Ireland, states, “Firms with a positive consumer-focused culture should commit to investing and resourcing an effective framework from both a customer and compliance perspective.”

Rigorous 6AMLD compliance measures shouldn’t come at the expense of having seamless onboarding or smooth, cost-effective operations. Enabling innovative compliance technology throughout the organization helps ensure that controls are in place to limit risk and effectively drive growth.