The EU AML Transformation: The Single Rulebook, 6AMLD and AMLA

On 19 June 2024, the new Anti-Money Laundering (AML) package was published in the Official Journal of the European Union. This follows from the AML ‘single rulebook’ regulation, together with the 6th AML Directive, and AML Authority Regulation, which were adopted by the Council on 30 May 2024, along with the proposed amendments. The aim of this AML package is to harmonise the AML rules across the EU, apply stricter rules against money laundering, and terrorist financing, while also strengthening and protecting the financial system.

This AML Package consists of a directive and two regulations:

• a regulation establishing the AML requirements for the private sector;
• a regulation to establish the new AML Authority (AMLA); and,
• a directive to implement mechanisms at a national level.

Regulation (EU) 2024/1624, also known as the ‘single rulebook’ regulation, will harmonise AML rules and requirements for the private sector, with the aim to further increase transparency on beneficial ownership for legal entities, trusts and other arrangements, and minimise the misuse of anonymous financial instruments. It will apply from 10 July 2027, except for football agents and professional football clubs, to which it shall apply from 10 July 2029.

New obliged entities will be introduced to Malta’s current ‘relevant financial business’ and ‘relevant activities’ lists. The following list of new obliged entities, which will be added to the Maltese obliged entities list, and may apply at specific value thresholds and/or restricted to a particular activity:

1. persons trading in precious metals and stones, and in high-value goods, as a regular or principal professional activity;
2. traders and intermediaries of cultural goods, or persons storing cultural goods ^[1];
3. crowdfunding service providers and crowdfunding intermediaries;
4. investment migration operators;
5. non-financial mixed activity holding companies ^[2] with subsidiaries conducting financial activity; and,
6. football agents and professional football clubs when conducting transactions with an investor, sponsor, football agents or other intermediaries, and football player’s transfers.
    

^{[1] Historical, artistical, or archaeological goods as listed in Annex I to Council Regulation (EC) No 116/2009. For Malta, this will extend the current meaning from the sale of ‘works of art’.}

^{[2] A company which is not the subsidiary of another, where the subsidiaries include at least one obliged entity. For avoidance of doubt these will be considered as obliged entities themselves.}

High-value goods are listed in Annex IV of the regulation and are defined as:

1. Jewellery, gold, or silversmith articles of a value above EUR 10,000;
2. Clocks and watches of a value above EUR 10,000;
3. Motor vehicles of a price above EUR 250,000;
4. Aircraft of a price above EUR 7,500,000; and,
5. Watercraft of a price above EUR 7,500,000.

Over and above the normal CDD requirements, persons trading in high-value goods will be required to request further information. This includes information regarding the commercial or non-commercial purpose of the goods acquired, as well as the source of funds and occupation of the customer. Following from the above changes, traders in high-value goods will now also be required to report to the national FIU, all those transactions which involve the sale of goods for non-commercial purposes in points 3, 4 and 5 above (motor vehicles, aircraft, and watercraft at the above-mentioned value).

Further to limiting the anonymity of transactions and building on top of the fourth AML directive, the ‘single rulebook’ regulation now prohibits Crypto-Asset Service Providers (CASPs), credit and financial institutions, from keeping anonymous accounts or otherwise anonymous transactions.

All CASPs authorised under markets in crypto-assets (MiCA) regulation 2023/1114 are now obliged entities and should apply the travel rule according to the regulation on information accompanying transfers of funds (TFR), and certain crypto-assets (TFR recast) (EU) 2023/1113. TFR recast will apply as from 30 December 2024 and will apply to payment service providers (PSP) and intermediary PSPs, CASPs, and intermediary CASPs. This will require that the name of the payee, the payee’s payment account number, as well as the LEI ^[3], or an equivalent identifier, must be sent along with the payment in the payment message format.

MiCA, on the other hand, lays down uniform requirements for CASPs and for the offer to the public, and admission to trade on a trading platform of crypto-assets for asset-referenced tokens and of e-money tokens. It abolishes crypto-assets trading platforms from trading in crypto-assets, which may be anonymised unless their transaction history can be identified.

_{[3] This is the legal entity identifier which is a unique alphanumeric reference code based on the ISO 17442 standard assigned to a legal entity.}

The ‘single rulebook’ regulation will also govern the internal policies, procedures, and controls of those obliged entities. It will also harmonise the application of customer due diligence (CDD) obligations across member states.

In Malta, changes will apply to CDD obligations and the thresholds at which they are carried out. This includes a reduced threshold for occasional transactions from EUR 15,000 to EUR 10,000, whether in a single operation or linked transactions, while it will be lowered to EUR 3,000 when conducted in cash.

The CDD interval for natural persons or legal entities during ongoing monitoring may not exceed five years, while it may not exceed one year for those presenting a high-risk of money laundering and terrorism financing (ML/TF). This may in fact simplify the CDD processes for obliged entities by adding further clarity to the CDD, refresh expectations from the competent authorities, and introduce standardisation across the industries. In Malta, there is currently no mandated CDD refresh timeframes, and these are left for obliged entities to evaluate, apply, and justify.

With regards to the timing of simplified due diligence (SDD) in delaying due diligence for low-risk customers, the new regulation provides that verifying the identity of the customer, and where necessary, the beneficial owner, may be carried out up to a maximum of 60 days after establishing a business relationship. For the Maltese context, this threshold is not currently set in law, and this regulation will further clarify and standardise the maximum delay threshold for customer identity verification, when applying SDD.

There will also be changes to the methods of identifying ultimate beneficial owners (UBOs) of legal entities. Locally, in Malta, there will not be substantial changes to the methods of identifying the UBOs, as these are already being applied at law. The ‘single rulebook’ regulation defines the UBO as the natural person having direct or indirect ownership of 25% or more of shares, voting rights, or ownership interest, unless an entity is deemed to be high risk of ML/FT. In this case, a lower threshold shall apply and cannot be set lower than 15%.

For obliged entities in Malta, the change will mean that UBOs will be considered as such at the 25% threshold, rather than at 25%+1 of shares, voting rights, or ownership interest. In any case, obliged entities identifying UBOs of legal entities will now need to consider the natural persons who have:

1. Direct or indirect ownership of an ownership interest ^[4]; or
2. Direct or indirect control of an ownership interest, or control via other means.

The regulation also emphasises that control via other means must be identified independently and in parallel to points (1) and (2).

There will also be changes for obliged entities when identifying and verifying the beneficial owners, in the case of trusts or similar arrangements. Obliged entities are to identify and verify the natural persons as prescribed hereunder. Malta’s laws already consider these requirements, unless further clarity will be added by the Regulators.

• the settlors;
• the trustees;
• the protectors, if any;
• the beneficiaries; and,
• Any other natural persons exercising ultimate control.
• Where any of the above are legal entities, further due diligence may be necessary to identify the natural persons behind these legal entities as the beneficial owners.

_{[4] Ownership interest will include rights to share of profits, other internal resources or liquidation balance.}

Specific enhanced due diligence (EDD) measures will now apply to high net-worth individuals. Financial and credit institutions along with trust company service providers shall perform EDD when a business relationship is identified as high risk and involves handling assets valued at EUR five million or more, and if the customer’s net worth is that of EUR 50 million or more. Additional EDD measures in this specific case shall include:

• procedures to mitigate risks associated with personalised services and products offered to that customer;
• obtaining additional information on that customer’s source of funds; and,
• preventing and managing conflicts of interest between the customer, employees, and senior management, when undertaking tasks related to compliance.

The ‘single rulebook’ will extend the definition for PEPs. This will now include siblings of PEPs to the definition of family members, in addition to the parents, spouses, and descendants, when this involves heads of state, heads of government, ministers, and deputy or assistant ministers. The new AML Authority (AMLA), which is currently being set up, will issue further guidelines on the criteria for close associates of PEPs.

Regulation (EU) 2024/1620 establishes the Authority for Anti-Money Laundering and Countering the Financing of Terrorism. This regulation shall apply from 1 July 2025, with certain articles applying from 31 December 2025. This new Anti-Money Laundering Authority (AMLA) will have direct and indirect supervisory powers on those obliged entities within the financial sector, including CASPs, which are deemed as high ML/FT risk, and operate across borders in at least six member states. Direct supervision will be conducted by both AMLA and the national supervisory authorities, which together will form joint supervisory teams. Indirect supervision on the other hand will occur through coordination and oversight of the national AML/CFT supervisors.

AMLA will initially directly supervise up to 40 groups and entities and will further extend its remit after its initial setup. Among its powers and obligations will be those of drafting regulatory technical standards to be adopted by the Commission, and issue guidelines and recommendations, as well as carry out thematic reviews. Supervisory fees may also be levied by AMLA on certain obliged entities with respect to tasks that the authority undertakes. AMLA will also have mechanisms in place for cooperation and coordination with national and European supervisory authorities, for the purposes of assisting national supervisors and promoting supervisory convergence. Finally, the authority may impose pecuniary sanctions, as well as recurring periodic penalty payments on obliged entities when breaches are detected, following independent investigations.

Directive (EU) 2024/1640 will repeal the previous directive 2015/849 (the fourth AML directive) with the objective of implementing harmonised mechanisms in member states, with regards to the prevention of ML/FT. Members states will need to comply with the directive and bring laws into force in line with the directive by 10 July 2027, while by way of derogation, some articles will apply from 10 July 2029. This directive will impose on member states to set-up systems providing a single-access point for information regarding sectors of particular importance, to ease the exchange and access to information. These will take the form of centralised registers, which each member state must implement, and are the following:

• beneficial ownership register;
• bank account register; and,
• real estate information register.

These registers will be available to both the national authorities, obliged entities, and those having a legitimate interest. This legitimate interest will include non-governmental organisations, academics, and investigative journalists.

The directive will also govern the cooperation between national competent authorities and the information held by the national FIUs. It also provides for powers to the national FIUs to issue penalties, suspend or withhold consent for transactions, instruct obliged entities to monitor transactions or activities, and alert and provide information to obliged entities regarding information relevant to their CDD requirements.

This directive will also require member states to register and licence certain entities including certain service providers, investment migration operators, as well as conduct checks on senior management and beneficial owners of certain obliged entities.

The EBA will continue to operate as the primary responsible authority on AML/CFT until the end of 2025. The EBA will then transfer its AML/CFT mandates, powers, and resources, to the new AMLA. The EBA has been leading the EU financial sector’s fight against ML/FT since 2020, and the new legislative framework is a significant step in continuing the EU’s fight against financial crime, through harmonisation with the ‘single rulebook’ regulation, the establishment of AMLA, and the 6^th AML Directive.

We provide a comprehensive range of AML/CFT services to assist obliged entities in meeting their compliance expectations.

In line with the new AML Package, and consistent with the changes which will be required for obliged entities, we can conduct gap analysis assessments on existing AML/CFT frameworks, whilst ensuring compliance, provide advisory services, relevant training, and update policies and procedures.

We are also able to aid your staffing needs by providing additional professional experience and resources to your AML/CFT and financial crime teams and drive the necessary change within your teams.
 

This article was co-authored by Deborah Cassar and Keith Tabone Jacono.