AMLR: a new EU-wide level playing field through increased harmonisation

10 mn

After years of negotiations, the EU Parliament has finally adopted the long-awaited EU regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, which focuses mainly on customer due diligence aspects.

After years of negotiations, the EU Parliament has finally adopted the long-awaited EU regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLR or Regulation), which focuses mainly on customer due diligence aspects.

To give some background, its main objective is to address the issue of the currently fragmented application of AML/CFT rules across the EU by avoiding, in the future, discrepancies in how each Member State implements these into their national legislation. To date, these discrepancies have been possible as the current EU AML/CFT framework is largely based on EU directives that require implementation at Member State level. This will now be achieved through a directly applicable EU-wide regulation, which thus provides for the necessary granularity of customer due diligence rules to be applied by each Member State. This will then also pave the way for an aligned and much more harmonised AML/CFT framework within the EU, fostering a genuine level playing field in this area.

While a number of the requirements under the AMLR appear, at least at first glance, to be largely in line with the current AML/CFT framework in Luxembourg (which is largely based on AMLD4 [1] and ALMD5 [2]), it introduces several new provisions and nuances to existing requirements, which will require attention to detail from obliged entities.

Although the ultimate objective of the Regulation is to achieve a maximum level of harmonisation, where it is required for risks, Member States will mostly remain free to introduce, at least for some aspects, more stringent rules than those under the AMLR.

Based on the above, it is to be expected that the Luxembourg AML/CFT framework will have to be significantly amended, not just at the level of the law of 12 November 2004 on the combat against money laundering and financing of terrorism, as amended (2004 Law), but also with regard to sector-specific regulations and circulars issued by the relevant competent authorities.

In the following developments, we will shed light on some of the more notable changes when considering the existing AML/CFT framework in Luxembourg (be it in terms of scope, customer due diligence requirements, adequate internal organisation or the required cooperation with national competent authorities).

Extended scope of obliged entities subject to AML/CFT obligations

While most obliged entities targeted by the AMLR were already subject to AMLD4 and ALMD5, the Regulation extends the scope of obliged entities subject to AML/CFT requirements, notably to:

  • persons trading, as their regular or principal professional activity, in precious metals and stones, or other high-value goods such as jewellery, clocks and watches exceeding EUR 10,000;
  • all crowdfunding platforms and intermediaries;
  • certain football clubs and football agents;
  • credit intermediaries which are not authorised as credit institutions or investment firms;
  • investment migration operators defined as offering services to third-country nationals which seek to obtain residence rights in a Member State in exchange for any kind of investment; and
  • non-financial mixed holding companies.

Furthermore, the definition of already targeted obliged entities has been updated to extend the AMLR’s scope to crypto-asset service providers regulated under the MiCA Regulation, which applies as from 30 June 2024, although most of these service providers were already regulated in Luxembourg under the 2004 Law.

While the legal privilege of independent legal professionals which are subject to the AMLR has, in essence, been preserved, such professionals will now be subject to certain specific new limitations.

As regards insurance undertakings that carry out life or other investment-related insurance activities, the AMLR now explicitly provides that insurance holding companies and mixed-activity insurance holding companies also fall within its scope, while providing an exemption for insurance intermediaries that distribute life or other investment-related insurance products but do not collect premiums or amounts intended for the customer and which act under the responsibility of insurance undertakings or intermediaries for such products.

EU-wide ban for large cash payments

The Regulation imposes an EU-wide maximum limit of EUR 10,000 for cash payments, regardless of whether the transaction is carried out in a single operation or in several operations which appear to be linked. The Regulation specifies that the respective Member States will have the flexibility to impose a lower maximum limit at their own initiative.

It should be noted that payments between natural persons who are not acting in a professional capacity and payments or deposits made at the premises of credit institutions, electronic money issuers and payment service providers are exempt from this threshold. However, payments or deposits above the EUR 10,000 limit with the aforementioned institutions must be reported to a Financial Intelligence Unit (FIU) within a certain timeframe.

Enhanced customer due diligence requirements

The AMLR largely leverages on the already existing customer due diligence obligations provided for under AMLD4 and ALMD5. While one may therefore not expect a complete overhaul of those obligations, as is so often the case, the devil is in the detail here. The AMLR provides that for some obliged entities and transactions, customer due diligence measures now have to be applied to persons even beyond those directly transacting with obliged entities.

In this context, although the EU-wide threshold for the application of customer due diligence for occasional transactions has been lowered to EUR 10,000, there are some, more limited, customer due diligence requirements that remain applicable even to transactions below this threshold, notably when carrying out occasional cash transactions amounting to a value of at least EUR 3,000.

As regards crypto-asset service providers, these entities are now required to apply some limited customer due diligence measures, even for occasional transactions below EUR 1,000.

In order to ensure that risks of non-implementation or evasion of targeted financial sanctions (TFS) are appropriately mitigated, obliged entities are required to verify whether the customer or the beneficial owner(s) of a transaction are subject to TFS. In the case of a legal entity, obliged entities must verify whether any natural or legal persons subject to TFS control the legal entity or hold more than 50% of the proprietary rights of the entity or a majority interest in it. In the event that such sanctions are verified, obliged entities will need (without prejudice to the obligations enforcing TFS) to keep records of:

  • the funds or other assets that they manage for the customer at the time when TFS are made public;
  • the transactions attempted by the customer; and
  • the transactions effectively carried out for the customer.

The extent of the applied customer due diligence measures shall be determined on the basis of an individual risk assessment, notably with regard to the specific risk characteristics of each customer and the respective business relationship. It is worth noticing that new risk variables and factors will need to be considered here, thus increasing the complexity and granularity of the risk assessment process.

In this regard, obliged entities are required to keep record of the actions taken in order to comply with customer due diligence requirements. This recordkeeping requirement also applies to situations in which an obliged entity has refused to enter in a business relationship.

Enhanced obligations regarding beneficial ownership transparency

While requirements for the identification and registration of beneficial owners are specified and harmonised, the threshold for being considered a beneficial owner is maintained at 25% or more of the shares or voting rights or other ownership interest. For legal entities associated with a higher AML/CFT risk, as per the national risk assessment, this threshold can be reduced by Member States to a minimum threshold of 15% in accordance with an EU Commission delegated act.

Further amendments and clarifications have been made at the level of the definition of “beneficial owner”, providing greater detail on both the ownership and control. The AMLR also provides clarifications regarding the methodology to be applied in order to assess the beneficial owner in a multilayered structure and especially in the case of coexistence of ownership and control features. The AMLR now provides for ad hoc requirements for the investment funds sector and specific nominee-related disclosures, the impact of which will have to be carefully assessed, especially for the investment funds sector.

While provisions regarding the registers of beneficial owners have been further specified as regards legal arrangements and trust schemes, it is worth highlighting that the AMLR now obliges foreign legal entities and arrangements to register with EU-based registers of beneficial owners when entering into specific business relationships with EU-based obliged entities or in the event of EU-based acquisition ventures.

Ongoing monitoring and periodical reviews

The AMLR provides that, when performing ongoing monitoring, obliged entities must:

  • take an interest in the fund’s destination, where necessary;
  • cover all products and services if the business relationship covers multiple products and services; and
  • take into account information relating to business relationships that a customer has with entities belonging to the same group.

Apart from the above notable and rather new specificities, the AMLR, much in line with the current AML/CFT framework, also addresses the aspect of updates for the customer KYC information.

Therefore, as for periodic updates of customer information, obliged entities must determine the frequency on the basis of the risk posed by the business relationship, without the frequency of updates exceeding one year for high-risk customers and five years for other customers (thus a shorter time frame than the current time frame for other customers).

The AMLR also provides for specific cases in which obliged entities must carry out ad hoc updates, which include changes in the relevant circumstances of a customer or the entity becoming aware of a relevant fact pertaining to the customer.

Obliged entities must also regularly verify whether the customer or beneficial owner is subject to financial sanctions, at a frequency that shall be commensurate to the exposure of the entity and the business relationship to risks of non-implementation and evasion of targeted financial sanctions.

Ongoing monitoring and periodical reviews

At the level of enhanced due diligence, the new AMLR requirements can be summarised as follows.

  • Amendments regarding third-country policy measures and requirements regarding AML/CFT threats from outside the European Union

    The Regulation provides for a more granular framework for the identification of “high-risk third countries” and the customer due diligence to be applied. AMLR also confers new powers on the EU Commission to adopt delegated acts in this field. In addition to the option to also adopt specific countermeasures, the AMLR distinguishes between different types of third countries. Depending on which third country category is relevant to the specific case, obliged entities will have to apply either all or only some selected enhanced due diligence measures.
  • Specific enhanced customer due diligence for certain types of cross-border correspondent business relationships

    In addition to the existing requirements for enhanced customer due diligence for cross-border correspondent business relationships, the AMLR now provides for detailed requirements for specific types of cross-border correspondent relationships, for example, when involving crypto-asset service providers or where the third country faces increased concerns from an AML/CFT perspective.

    The Regulation also now explicitly prohibits correspondent relationships with shell institutions and specifies that crypto-asset service providers must ensure that their accounts are not used by such shell institutions to provide crypto-asset services by establishing policies and procedures that make it possible to detect any attempt to use their accounts for the provision of unregulated crypto-asset services.


  • Politically exposed persons

Among the notable changes, the AMLR broadens the definition of “politically exposed persons” by adding further detail on which persons are likely to meet the criterion of prominent public function, whether at Member State, EU or third-country level. As a result, this criterion now includes, inter alia, the heads of regional and local authorities and groupings of municipalities and metropolitan regions. Siblings of politically exposed persons are also included in the list of relevant family members (which is already the case under the 2004 Law), but further distinctions are to be applied with regard to when siblings are to be taken into account in cases concerning politically exposed persons.

Furthermore, in addition to the list specifying the exact functions which, in accordance with national law, qualify as prominent public functions (a consolidated list of which has just recently been issued at EU level), Member States will have to request that each international organisation accredited on its territory issue such a list for its organisation. In this context, the EU Commission will be empowered to adopt a delegated act specifying the format for the establishment and communication of the national lists of prominent public functions.

  • Simplified customer due diligence obligations

    Obliged entities will now have to take into account the increased list of risk variables and factors before being able to apply simplified customer due diligence to a given business relationship. Although the AMLR does not otherwise entail a fundamental change to the existing requirements in this field, it is worth highlighting that the identity verification process can still be postponed for such a customer, it will have to be completed within 60 days in any case.

Clarifying the scope of internal policies, procedures and controls

As regards the adequate internal organisation to be put in place by obliged entities in terms of the necessary internal policies, procedures and controls to be enacted in order to identify, assess and mitigate potential AML/CFT risks, the AMLR now specifies:

  • in greater detail the scope of such policies, as well as necessary internal measures to be adopted (including aspects pertaining to the compliance manager and officer);
  • that two years after the entry into force of AMLR, the AML Authority (AMLA) shall issue guidelines on the elements that obliged entities should take into account when adopting their internal policies, procedures and controls; and
  • as regards group-wide requirements, the scope of the policies, procedures and controls to be put in place by groups, notably with respect to guarantees concerning confidentiality, data protection and information sharing for AML/CFT purposes, the minimum content of which should be specified by the AMLA in regulatory standards.
Outsourcing

In accordance with the 2004 Law, the revised EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and Circular CSSF 22/806, the AMLR provides that obliged entities may continue to outsource AML/CFT-related tasks to service providers upon the notification of this outsourcing to their supervisory authority prior to the provision of such services.

Although financial institutions, for example, were already allowed to outsource the execution of certain AML/CFT operational tasks, the AMLR now provides for a more detailed framework organising such outsourcing, including a list of tasks that in-scope entities are not allowed to outsource, which include, inter alia:

  • the decision on the risk profile to be attributed to the customer;
  • the decision to enter into a business relationship or carry out an occasional transaction with a client;
  • the approval of the criteria for the detection of suspicious or unusual transactions and activities;
  • the reporting to FIUs of certain suspicious activities or transactions, except where such activities are outsourced to another obliged entity belonging to the same group and established in the same Member State.

Obliged entities shall now be able to demonstrate to their supervisory authority that they understand the rationale behind the AML/CFT tasks carried out by the service provider and the approach followed by the latter in their implementation, and that these activities mitigate the specific AML/CFT risks to which the obliged entity is exposed.

In this context, obliged entities are also required to ensure that the outsourcing does not materially impair the respective supervisory authorities’ ability to monitor and retrace the obliged entities’ compliance with AML/CFT requirements.

Cooperation obligations with national competent authorities

As regards the cooperation obligations with competent authorities, obliged entities will be required to comply with multiple new reporting rules established in several grounds of its activities.

The Regulation also provides detailed requirements for reporting suspicious transactions, including attempted transactions, and other information regarding money laundering and terrorism funding to the FIU.

In this context, where an obliged entity is unable to comply with the due diligence measures imposed by the Regulation, it now required to report (almost systematically) a suspicious activities report to the FIU in relation to the customer.

Obliged entities shall also provide the FIUs, upon their request, with all necessary information within five working days, which may be shortened to less than 24 hours in justified and urgent circumstances.

Where the activities of a partnership for information sharing between obliged entities result in the knowledge of any suspicious activity, one of the obliged entities which identified the suspicions shall be tasked with submitting a report to the FIU. If the obliged entities are established in several Member States, the information shall be reported to each relevant FIU.

The AMLA will be required to issue guidance on indicators of suspicious activities or transactions and to draft a common template for the reporting of such suspicions, activities and transactions.

[1] Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC.

[2] Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU.