Tightening the net: EU adopts sweeping AML reforms

May 2024

A landmark reform of the European anti-money laundering (AML) regime is on the verge of completion. On 24 April the European Parliament formally adopted a new AML Regulation and legislation creating the new EU Anti-Money Laundering Authority (AMLA). This in effect completes the legislative journey for the EU’s ambitious AML reform package, launched in 2021 to enhance Europe’s ability to detect and prevent financial crime.

Common standards: The single AML rulebook

Beyond the need for a clear strategy, a governance structure and well-defined financial and legal boundaries, digital trust is one of the key components of a truly cyber-resilient ecosystem.

KPMG, together with the World Economic Forum and other collaborators, has developed a global framework for digital trust. This framework serves as a decision-making guide for organizations, enabling the development and deployment of reliable, trustworthy technology and, through it, trusted collaboration ecosystem wide. The WEF defines digital trust as public expectations that “digital technologies and services — and the organizations providing them — will protect all stakeholders’ interests and uphold societal expectations and values.”

The digital trust framework provides a precise and compelling roadmap in this dynamic digital world and the inevitable need to enhance adaptability and cyber resilience among digital ecosystems. Reliance on a common framework and language offering mutual standards and practices drives enhanced collaboration, consistency and trust in ever-evolving technologies while bolstering ecosystem defenses against potential threats. The digital trust framework encapsulates three goals:

Beneficial ownership

(of companies, trusts etc) is defined as based on both ownership and control. The beneficial ownership threshold is set at 25 percent, but with a lower threshold (up to 15 percent) for sectors identified as high-risk by the European Commission. This will require obliged entities to review the beneficial ownership of potentially thousands of entities subject to the lower threshold.

Enhanced due diligence

measures are required for customers who apply for a so-called "Golden Passport". These are third-country nationals who receive European citizenship in return for an investment. Enhanced due diligence measures must also be applied for business relationships with high-net-worth individual (HNWI) customers when providing wealth management services involving amounts of EUR5 million or more. This will require firms to gather additional information regarding customers who may qualify as HNWIs.

Customer data

including identity records must be updated at least every five years (except in low-risk cases where simplified due diligence is applied) and every year for high risk customers. This is much more frequent than existing rules in many EU countries require. As a result, firms should invest heavily in updating their know-your-customer (KYC) systems and preferably switch to highly automated processes in order to avoid a massive increase in workload for manual periodic customer data updates.

Risk Assessments

must consider and classify firms’ exposure to money laundering and terrorist financing risks and financial sanctions according to a set of prescribed risk variables: activity, products, transactions, delivery channels, customers and geography. This may require significant reconfiguration of firms’ approaches to their AML risk assessments and might require upgrades to firms’ internal data systems to help ensure the necessary information is available.
There is also an obligation to take into account enumeratively listed specific information sources when identifying those risks. This will require the obliged entities to revise their risk assessment methodology including regarding the external information used.

Outsourcing

of AML-related services is tightly regulated. Some key functions, including approval of AML policies, decisions on customer risk profiles and reporting of suspicious transactions, must be done in-house: how far ancillary functions and analysis may be outsourced will be specified in AMLA guidelines. As outsourcing of functions such as customer ID verification and data analysis is currently common practice, the new rules could require firms to review their existing outsourcing arrangements. In addition to these restrictions, all outsourcing of AML-related services must be notified in advance to supervisors.

In addition, the Regulation expands the list of ‘obliged entities’ required to comply with AML rules — for example, to include professional football clubs and football agents —and imposes an EU-wide cap of EUR10,000 on cash payments. For more detailed analysis, see the KPMG AMLA Office website.

The new watchdog: AMLA starts up

The second pillar of the new AML regime, AMLA, is expected to go live in the second half of 2024, starting with the appointment of its first Chair. AMLA will serve as both a regulator and supervisor.

AMLA’s main regulatory function will be prescribing many details of the new AML rulebook via guidelines and technical standards (RTS/ITS). We understand that informal working groups of national regulators, coordinated by the European Banking Authority (EBA), have already begun preparing over 80 standards and guidelines, drawing on analysis of existing rules in different countries. Under the AML Regulation, AMLA will have between two and three years to finalise these standards. This means some could be promulgated only shortly before the Regulation itself begins to apply (three years after publication in the EU Official Journal). Consequently, firms should closely monitor AMLA’s regulatory work programme (once this is published) to prepare for each standard or guideline as it emerges.

Alongside its regulatory work, AMLA must establish itself as a supervisor. Much of the public discussion to date has focused on AMLA’s role directly supervising the entities deemed to pose the highest money laundering risks. But given that it will directly supervise only 40 firms and will only start direct supervision in 2028, AMLA’s greatest impact will likely come from its position as an indirect supervisor, coordinating and harmonizing supervision by national competent AML supervisors/authorities.

AMLA is mandated to develop a harmonized supervisory methodology for all EU competent AML supervisors/authorities to use. This methodology will include common benchmarks for assessing the risks of each supervised firm, and common approaches to supervising firms’ internal policies, practices and controls. AMLA is also required to develop standardized templates for data collection, to ensure all EU AML supervisors are working on the basis of comparable information. These tools, along with judicious use of AMLA’s powers of peer review and recommendation, will enable AMLA to drive up standards and build a common supervisory culture across the EU.

In this effort, AMLA will be able to learn from the experience of its Frankfurt neighbour, the ECB, which began prudential supervision of significant euro area banks 10 years ago. In its early years, the ECB’s supervisory approach was characterized by extensive use of standardized policies, methods and questionnaires. This prioritized consistency across banks over responsiveness to differences in business model or geography. ECB leaders argued that this was necessary to forge a common European supervisory culture: the incoming AMLA leadership may take a similar view.

How financial firms can prepare

With the introduction of the new AML regime, financial firms should take great care to follow AMLA’s policy making process to understand how far they need to adapt or overhaul their existing AML controls, policies and practices to comply. The harmonization of different national rules will mean the precise changes required will vary depending on the countries in which firms operate – and in some cases, will give firms more, not less flexibility. The new single rulebook will take effect in 2027, but the groundwork will already be laid in the coming months. Therefore, firms should take the following key steps now to prepare:

Closely monitor AMLA and the development of its guidelines and technical standards, to understand the new authority’s thinking.

Review existing AML policies on a cross-group basis, as the first step toward developing group-level AML controls that meet the requirements of the new rulebook.

Identify issues and geographies where the greatest change will be required, to prioritise efforts to ensure compliance.

KPMG’s new AMLA Office will act as a centre of expertise on the new agency. As the authority begins operations, our AMLA Office will provide regular updates and analysis of AMLA’s rulemaking and the development of its supervisory policies and practices. KPMG professionals are a prime contact for support in preparing for the new regulatory environment and for assistance with the implementation of appropriate compliance measures, i.e. to help you achieve “AMLA readiness”.

Quarterly KPMG SSM Insights Newsletter – May edition

Welcome to KPMG’s first SSM Insights Newsletter of 2024. This year will see the SSM celebrate its 10th anniversary. It was in November 2014 that the ECB took over direct.

Download