2.1 Definition and Scope

The purpose of this directive is to ensure that the EU’s financial system is not used for the purposes of money laundering (ML; also AML for anti money laundering) or terrorist financing (TF; also CTF for combating terrorist financing). Thereby, money laundering is defined as any of the following activities provided it is pursued intentionally (Art 1):

1. 1. the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action
2. 2. the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity
3. 3. the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity
4. 4. participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in the previous points

Or, to make the point shorter albeit less precise, money laundering means helping to convert the proceeds of criminal activity into assets that appear to come from legal activities.

Terrorist financing in the context of this directive is defined as follows (Art 1):

‘terrorist financing’ means the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of Articles 1 to 4 of Council Framework Decision 2002/475/JHA.

The directive applies to a number of obliged entities, notably credit institutions and other financial institutions, and a number of professions that are traditionally related to the acquistition or exchange of assets like lawyers, notaries, or estate agents. Notable entities included are providers of gambling services and anyone trading in goods to the extent that it involves payments in cash of over €10k in aggregate terms (Art 2).

Credit institutions in the context of this article are entities commonly referred to as banks, as defined the CRD4‐CRR Regulation 575/2013 (Art 3):

‘credit institution’ means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account (Art 4.1.1).

‘Financial institutions’ covers a large range of entities. First, it covers those which carry out activities listed in the Annex I to the CRD4‐CID Directive 2013/36/EU (Art 3). Those are defined in Annex I of CRD4‐CID:

• lending of all kinds (Point 2)
• financial leasing (Point 3)
• payment services (Point 4)
• issuing and administering other means of payment (Point 5)
• guarantees and commitments (Point 6)
• trading for own account or for account of customers (Point 7)
• participation in securities issues and related (Point 8)
• investment banking advisory (Point 9)
• money broking (Point 10)
• portfolio management and advice (Point 11)
• safekeeping and administration of securities (Point 12)
• safe custody services (Point 14)
• issuing electronic money (Point 15).

It also covers insurance companies offering life insurance, as defined in Solvency 2 2009/138/EC, Article 13.1, and investment firms as defined in Article 4.1.1 of MiFID 2004/39/EC. Finally, it applies to collective investment undertakings, and insurance intermediaries as defined in Article 2.5 of IMD 2004/39/EC (Art 2). If necessary, Member States can extend the scope to other areas (Art 4).

2.2 Implementation

Both the Commission and the Joint Committee of EBA, EIOPA, and ESMA periodically issue opinions and guidelines (Art 6). Member States assess the risks of ML and TF within their jurisdiction and develop measures to mitigate them. They also establish a designated authority that has responsibility to coordinate AML and CTF measures with other Member States (Arts 7, 8). The Commission is compiling a list of high‐risk third countries where they consider that the AML/CTF regime is insufficient and in respect of which special transaction rules apply (Art 9).

Anonymous accounts or passbooks are forbidden, and there are measures in place to prevent misuse of bearer shares and bearer warrants (Art 10). Customer due diligence measures must be applied by obliged entities when (Art 11):

1. establishing a relationship
2. carrying out occasional transactions of €15k or more
3. carrying out occasional transfers of €1k or more
4. trading in goods for cash of €10k or more
5. providing gambling services of €2k or more (stake or winnings).

They also must be applied every time where there is a suspicion of ML or TF, and when there are doubts about previously obtained customer identification data. Where appropriate, series of linked transactions are to be considered as one transaction as far as the threshold amounts are concerned (Art 11). Member States may allow obliged entities to forego some due diligence measures for electronic money instruments that satisfy certain conditions, including that both monthly transaction volume and maximum amount stored do not exceed €250 (Art 12).

Obliged entities must apply the following customer due diligence measures on a risk‐sensitive basis (Art 13):

• establishing the customer’s identity based on documents, or information obtained from a reliable source
• identifying the beneficial owner, and—where different—verifying that person’s identity as well
• understanding the purposed and intended nature of business relationship.

Risk assessment has to take a number of specific points into account (Annex I). Obliged entities also must monitor the customer relationship on an ongoing basis, including scrutinising transactions to ensure that they are in line with the customer profile previously established. They also have to be able to demonstrate to the relevant authorities that their measures are appropriate (Art 13). Except in circumstances where the risk of ML or TF is low, customer verification has to take place before any transactions are being carried out (Art 14).

In low‐risk areas it is sometimes possible to carry out simplified customer due diligence procedures (Arts 15–17). On the other hand, when dealing with the aforementioned high‐risk third countries, or in other cases of higher risk, enhanced customer due diligence measures have to be applied. This includes examining complex and unusual transactions and transaction patterns, especially if they have no apparent economic purpose (Art 18). Similarly, special rules apply to politically exposed persons and their relationships, for example the requirement to obtain senior management approval, to establish the sources of their wealth and funds, and to generally conduct enhanced, ongoing monitoring of those relationships (Arts 20–23). Relationships with shell banks—banks that have no appropriate physical presence (Art 3)—are forbidden (Art 24).

Whenever an entity is working with an institution in a third country—whether this country is considered high risk or not—it must perform due diligence on that institution, document respective responsibilities with respect to AML/ATF obligations, and obtain senior management sign‐off (Art 19). Obliged entities can rely on the contributions of third parties (except those located in high‐risk third countries) for their due diligence process. However, the responsibility remains with the obliged entities (Arts 25–29).

Where an obliged entity knows or suspects that a certain transaction is related to ML or TF, it must refrain from carrying out said transaction until it has been reported to the relevant FIU (see below), and that FIU has authorised the firm to execute the transaction. There is an exception where not carrying out the transaction is impossible, or where it is likely to frustrate efforts to pursue the beneficiaries of that operation, in which case the FIU must be informed immediately afterwards (Art 35). The fact that a transaction has been reported must not be communicated to the customer in question (Art 39).

Obliged entities have to retain all due diligence records as well as all transaction records, in a format suitable for judicial proceedings, for at least five years after the relationship has ended. After that point, personal data must usually be deleted (Art 40). General data protection rules apply, and the processing of the due diligence data for commercial purposes is prohibited (Arts 41, 43). The entities must have systems and processes in place to respond fully and speedily to enquiries from their FIU (Art 42).

If obliged entities are part of a group, they must implement group‐wide policies and procedures compliant with this regulation, including in third countries wherever this is legally possible (Art 45). Entities must ensure—on a basis proportionate to the risk incurred—that their employees are aware of their duties under this regulation, and must organise training in this respect (Art 46).

To the extent that this is not already required by other pieces of applicable legislation, obliged entities must be registered or authorised, and their management must pass a fit and proper test, which in particular excludes people with a prior relevant criminal record (Art 47). They must be adequately monitored for compliance with those regulations (Art 48). Breach of obligations can be sanctioned (Arts 58–62).

2.3 Obligations of All Companies

Whilst the previous part of the regulations applied to companies in financial services only, this part deals with all companies, and in fact mostly with companies that are potential financial service customers. The key requirement here is that all entities incorporated in the EU must hold information about their beneficial ownership, ie who is or are the natural persons who ultimately benefit. It must also hold information details of beneficial interests held. All this information must be disclosed to obliged entities during the due diligence process, and it also must be held in a central register that is accessible to everyone having a legitimate interest. Obliged entities, however, are not allowed to solely rely on that central register for their due diligence process (Art 30).

Similar provisions apply to trusts (Art 31).

2.4 Financial Intelligence Units and Cooperation

All Member States establish what is called a Financial Intelligence Unit (FIU), which is an institution that receives all reports on suspicious activities, analyses them, and distributes the intelligence gathered to the appropriate entities concerned. It is responsible for both operational analysis of individual incidents and the strategic analysis of system‐wide trends (Arts 32–34). Disclosure under this regulation—if done in good faith—is not considered a breach of a contractual or legal obligation to not disclose those facts (Art 37), and individuals who disclose such information (whistleblowers) must be protected from negative consequences of such disclosure, in particular in relation to discriminatory employment actions (Art 38).

The various official actors involved in this space (FIUs, other national competent authorities, ESAs, the Commission) interact according to specified guidelines (Arts 49–57).

2.5 Information Requirements on Transfers of Funds

The related regulation 2015/847 on the information accompanying transfers of funds decrees that—unless equivalent information can be derived from the context—all transfers either starting or ending in the EU must be accompanied by the payer’s name, account number, and, importantly, either address or official personal document number (eg passport number) or customer identification number or date and place of birth. Intermediaries must have systems in place that detect missing information, and are obliged to hold up transfers if it does not comply with those regulations. This supplements the AML regulations by blocking transfers that have not been subject to the appropriate processes.