EU’s AMLA, Transfer of Funds and EBA’s AML CO Guidelines

Coinfirm’s Regulatory Affairs summaries the European Union’s key crypto regulatory moves including the:

• EU Parliament and Council Negotiators Reach Provisional Deal on Transfer of Funds Regulation
• EBA Final Report on Compliance Management and the Role and Responsibilities of the AML/CFT Compliance Officer
• European Council Partial Position to the Establishment of the Anti-Money Laundering Authority (AMLA)

EU Parliament and Council Negotiators Reach Provisional Deal on Transfer of Funds Regulation

The Transfer of Funds regulation introduces in an extensive way FATF Travel Rule – covering not only the minimum Travel Rule related requirements, but also going beyond in some aspects e.g. with the register on non-compliant CASPs. The full final text of the regulation has not been released publicly as of the end of June and Coinfirm’s fulls summary of the regulation will follow once the final text is available. However, what is worth highlighting is the EU press release explaining on high level how the final text approach two most debated elements, namely: 

• Threshold/ no threshold for crypto assets transfers requiring Travel Rule compliance 
• Treatment of transfers to and from unhosted wallets 

With regards to thresholds: 

• No de minimis threshold will be applied on CASP to CASP transfers or CASP to unhosted wallet transfers
• For transfers to/from unhosted wallets and CASPs > 1000EUR where the unhosted wallet is controlled by CASP client, the CASPs will need to verify that their client controls the wallet
• Transfers involving unhosted wallets will require application of mitigating measures commensurate with the risks identified in a particular transfer

EBA Final Report on Compliance Management and the Role and Responsibilities of the AML/CFT Compliance Officer

The EBA has released on June 14^th, 2022, guidelines detailing the role and responsibilities of AML/CFT compliance officers and of the management body of a credit or financial institution. 

The scope of the report is to complement the 4^th AMLD’s requirements in terms of internal policies, controls and procedures.

The need for a more detailed explanation of such was highlighted by the European Commission in its 2019 Supra-National Risk Assessment (SNRA) in view of proven misaligned interpretation and uneven implementation of such provisions by competent authorities and the private sector across EU Member States. 

Provisions:

Guideline 4.1 outlines the: 

• Role and responsibilities of the management body in the AML/CFT framework in its supervisory and management functions.
• Identification of the member of the management body responsible for AML/CFT. 

Additionally, it details the identification, role and responsibilities of the senior manager responsible for AML/CFT where no management body is in place.

Guideline 4.2 provides an extensive and comprehensive list of what is expected from the appointed AML/CFT compliance officer(s) in terms of:

• Whether the entity requires a full-time basis appointed compliance officer or the role can be carried out by an employee in addition to their existing functions – in case of the latter, the decision must be duly justified and documented, as well as a specific person must be delegated to take over the responsibilities of the role;
• The knowledge and expertise of the compliance officer(s) must be in line with the entity’s business model in order to develop and maintain an ML/TF risk assessment framework on a business-wide and individual basis, ensure that adequate policies and procedures are put in place, kept up to date and implemented effectively on an ongoing basis, and the officers must have unrestricted access to information and technical resources necessary to perform their duties;
• On a high level, reporting obligations include: providing the management body with mitigating procedures in line with updated laws, rules, regulations and standards; provide an activity report at least annually which must be readily available for the competent authority upon request; highlighting suspicious transactions and high risk individuals internally and to the FIU;
• Overseeing the preparation and implementation of an ongoing AML/CFT training programme as well as delivering it internally to employees.

The guideline also emphasises that the AML/CFT compliance function should be located in the second line of defence of the credit and financial institutions and relays key principles of outsourcing the AML/CFT compliance function. 

Guideline 4.3 covers the organisation of the AML/CFT compliance function at group level by  considering the complexity and the associated risks of the entity, outlining reporting lines and clarifying roles and responsibilities, with the main scope of creating a seamless AML/CFT framework  which ensures addressing effectively shortcomings. 

Reporting obligations at group level specify the need for the AML/CFT compliance officer of a subsidiary or branch  to have a direct reporting line with the group AML/CFT compliance officer. The group’s AML/CFT compliance officer must issue activity reports at least on an annual basis, must include data from reports issued by subsidiaries and present it to the group management body.

The guidelines will apply from 1 December 2022 to all financial sector operators that are within the scope of the 4th AML Directive.

After the publication of the translations of the Guidelines (exact date to be announced), persons with appropriate authority to report compliance on behalf of their competent authorities have a 6 month deadline to notify EBA whether they:

• Comply with the guidelines
• Intend to comply with these guidelines, 
• Otherwise, reasons for non-compliance,
• Have made changes in the status of compliance 

In the absence of any notification by the specified deadline, competent authorities will be considered by the EBA to be non-compliant.

Notifications should be sent by submitting the form available on the EBA website with the reference ‘EBA/GL/2022/05’.

European Council Partial Position to the Establishment of the Anti-Money Laundering Authority (AMLA)

On Wednesday 29th June 2022, the European Council announced it had reached a partial position on the establishment of the Anti-Money Laundering Authority (AMLA), the supervisory body of AML compliance by obliged entities in the European Union, first proposed on the 20th July 2021 by the EU Commission, alongside 3 other legislative proposals to strengthen AML/CTF in the bloc. 

Key reasons outlined for the establishment of a regulatory body purely focused on AML in the bloc by the Commission’s proposal are: 

• Improving efficient function of the AML/CFT framework
• Better integrating international recommendations
• The current AML/CTF framework needs an authority to combat “disclosed weaknesses [that] lead to the emergence of new obstacles to the proper functioning of internal market both due to the risks within the internal market as well as external threats facing the internal market.”
• Harmonised rules
• Improved AML supervision and co-operation between Member States’ financial investigative units (FIUs) to “reduce divergences in national legislation and supervisory practices”

The AMLA will be given wide-ranging powers, including “to directly supervise certain types of credit and financial institutions, including crypto asset service providers, if they are considered risky.” The Council also “entrusts the Authority to supervise up to 40 groups and entities – at least in the first selection process – and to ensure a complete coverage of the internal market under its supervision. More powers are also given to the general board in the governance of AMLA.”

Set to be operational by 2024, the independent authority – i.e. maintaining its own Executive Board –  will seek to follow baseline assessments of the Financial Action Task Force’s (FATF) black and grey lists (i.e. maintaining its own black and grey lists) as well as listing jurisdictions that pose a threat to the EU’s financial system that are not listed by the FATF.

The list of ‘risky’ entities directly supervised by the AMLA will be published and updated every 3 years. Entities deemed ‘risky’ are those: 

• Financial institutional (FI) lenders that operate in at least 7 Member States and are deemed ‘high-risk’ by at least 4.
• FIs, lenders and other non-bank FIs operating in at least 10 European countries, who engage in ‘sufficiently risky’ business.

In relation to FIUs, the AMLA will: 

• Operate as the central authority coordinator and a facilitator for FIUs 
• Coordinate and aid FIUs in increasing their efficacy of enforcing the single rule book whilst ensuring homogenous high quality supervisory standards, approaches and risk assessment methodologies
• Host communication between FIUs on FIU.net
• Ensure the organisation and comportment of joint analyses of suspicious cross-border transactions and activities

The Council’s agreement is only partial due to the location of the seat of the AMLA having not yet been chosen and agreed upon.