By Samantha Sheen, AML Director Europe, ACAMS
20 July, 2016

EU Proposals to Bolster the Fight Against Financial Crime

On 5 July 2016, the European Commission (“EC”) announced its proposals to further amend the 4th Anti Money Laundering Directive (“4AMLD”). The proposed changes are aimed at reinforcing the European Union’s rules on anti-money laundering (“AML”), to counter terrorist financing (“CFT”), tax evasion and increase transparency around beneficial ownership (“Proposals”).

This post summarises the Proposals concerning virtual currency platforms, e-wallets and prepaid cards.

Virtual Currency Exchange Platforms (“VCEPs”) & E-Wallets

The EC has assessed that VCEPs & E-Wallets are two means that could be used in an anonymous manner to finance terrorist activities. In its communication to the European Parliament and the Council on an action plan for strengthening the fight against terrorist financing on 5 July 2016, (“EC Communication”), the EC noted that:

“Innovation in financial services and technological change, for all its benefits, creates new opportunities which may sometimes be abused to conceal terrorist financing. New financial tools such as virtual currencies create new challenges in terms of combatting terrorist financing…For innovative financial tools, it is critical to be able to manage the risks relating to their anonymity, such as for virtual currencies”.

The EC proposes to bring VCEPS and E-Wallet providers under the scope of the 4AMLD as obliged entities under Article 2 so that they will be supervised under the national AML/CFT legislation of each Member State. This means that these providers will be required to apply AML/CFT measures required under local AML regulations, including the undertaking of customer due diligence (“CDD”), transaction monitoring and suspicious activity reporting.

The EC believes that these proposals will provide greater transparency around those who own and try to use virtual currency for the financing of terrorism or other criminal activities.

VCEP operators and E-Wallet providers will also be designated for data protection (“DP”) purposes. This means that they will have to have to handle customer personal data in compliance with local DP regulatory requirements. This will include complying with processing of personal data requirements when performing customer due diligence. Personal information will need also need to be retained and destroyed in accordance with the DP requirements.

Note: The EC has indicated that implementation of the above measures will allow for further consideration by it around a possible system of voluntary self-identification of virtual currency users. So this may not be the end of the AML/CFT measures likely to be introduced for this sector.

Prepaid Cards (“Cards”)

Since the introduction of the 4AMLD in 2015, there has been increasing evidence that Cards are being used to finance the logistics of terrorist attacks. The EC’s research has further found that terrorism financing risks are linked to the Exemption (see below) and the ease in which Cards can be used anonymously online.

Issuers of Cards distributed in the EU are already required to comply with AML/CFT requirements. Under Article 12 of the 4AMLD Member States may exempt obliged entities, subject to certain conditions, from apply in certain CDD measures to Cards. (“Exemption”). The Exemption criteria includes that:

  •  The Card must not be reloadable, or
  • Has a maximum monthly payment transactions limit of €250 and can be used only in the Member State where it is issued or
  • The maximum amount that can be stored on the Card does not exceed €250.

The Proposals now provide that the Exemption threshold should be lowed to €150.

The Exemption also provides that CDD not need to be performed on a Card holder trying to redeem or withdraw funds from the Card, provided that the amount was below €100. The Proposals also amend this requirement by reducing this amount to €50 and will require that CDD measures be undertaken where a Card is used to make an online payment above this amount.

More stringent requirements will apply for Cards used on the internet so that CDD measures will need to be completed at the time the Card is activated. The EC has indicated in the Proposals that the detailed design of these measures are under consideration.

There will also be new measures to ensure that Cards issued outside the EU can only be used in the EU if they comply with the basics CDD requirements equivalent to those set out in Article 13 of the 4AMLD. Banks will have to refuse payments which are attempted with Cards from countries whose CDD requirements fall below those in the 4AMLD.

Possible Next Steps

It comes as no surprise that VCEPS and E-Wallets will now be required to apply AML/CFT requirements. Perhaps what will be more interesting will be how regulators will assess the controls used by them to fulfil the CDD requirements.

Given how different these businesses are in terms of their format (operating entirely online) and likely use of electronic identification, regulators will not be able to rely upon the approach they have used for banks and other more traditional financial institutions to assess their compliance with AML/CFT requirements.

Also, regulators will also need to develop a good operational understanding of the blockchain if they are to conduct meaningful evaluations of the transaction monitoring by VCEPs and E-Wallet providers, along with their controls around public and private key access.

The objective behind the changes made to Card requirements will clearly be supported by compliance professionals. However, it is possible that these changes could result again in de-risking, without intending to do so.  Some banks, for example, may elect to simply not process or accept Card payments rather than invest in the controls (such as staff training and technology) that will be needed to comply with these requirements. The impact for consumers in some countries could be significant.

The EU has a responsibility to ensure that it undertakes timely monitoring over how these requirements are implemented both by Member States and the private sector. Where early signs of wholescale de-risking is detected, there will be a need for both Member States and the EC to react and work collaboratively to mitigate such consequences, before they become a widespread practice that proves difficult to reverse.