European Commission Proposes EU-Level Supervisory Authority and Cryptocurrency Travel Rule

European Banking Authority Offers New Guidelines on AML Compliance Officers

Just as the United States has expanded significantly its anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory and enforcement regime through recent passage of the AML Act of 2020, the European Union (“EU”) has taken significant steps this summer towards implementing a rigorous new transnational AML enforcement framework.  Recent legislative proposals by the European Commission (the EU’s executive branch) aim to combat cross-border crime by ensuring uniform implementation and enforcement of AML/CFT principles, rules, and regulations, and by creating new recordkeeping requirement for certain cryptocurrency transactions.  Following the announcement of these legislative proposals, the European Banking Authority proposed in late July new EU-wide guidelines for AML/CFT compliance officers.  We examine each of these in turn.

The Legislative Proposals

In July, the European Commission announced a series of legislative proposals to strengthen EU AML/CFT rules, in alignment with its five year Security Union Strategy.  The highlights of these proposals include:

• the establishment of a transnational EU Anti-Money Laundering Authority (“EU AMLA”), operational by 2024, to coordinate “correct[] and consistent[]” application of EU AML/CFT rules;
• the creation of an EU AML/CFT Rulebook to create consistency across the EU with regard to rules on customer due diligence, beneficial ownership, and the powers and responsibilities of Financial Intelligence Units (“FIUs”);
• linking of existing national registers of bank accounts, facilitating FIU access to account information (including safe deposit boxes);
• the implementation of an EU-wide ceiling of €10,000 on cash transactions;
• and, perhaps most significantly for some sectors of our readership, extension of EU AML/CFT rules to additional crypto-asset service providers (“CASPs”) engaged in certain cryptocurrency transactions.

We discuss two proposals with possibility for the most wide-ranging impacts—the establishment of the EU AMLA and new AML/CFT rules for certain cryptocurrency transactions—below.

The Central Supervisory Authority Proposal

One legislative proposal suggests the creation of the EU AMLA, a central supervisory authority with wide-ranging powers and responsibilities.  The EU AMLA will be composed of several boards and committees, drawing from relevant regulators in the EU member states, including the heads of the FIUs.  Generally, the EU AMLA will be tasked with:

• Collecting information and monitoring trends to identify potential AML/CFT weaknesses in the EU and to create a central AML/CFT database;
• Directly supervising credit institutions with branches in seven member states and financial institutions with branches in ten member states, including supervisory reviews at both an individual and group-wide level;
• Encouraging uniform implementation and enforcement of AML/CFT regulations by financial and non-financial supervisors across the EU; and
• Encouraging and supporting cooperation among FIUs, including identifying joint investigations to be conducted among FIUs.

The EU AMLA will be empowered to issue guidelines and recommendations, collect information from member states, and draft regulatory technical standards.

The justification for an EU-level supervisory body with broad powers is at least threefold.  First, the EU believes there has been inconsistent implementation and enforcement of AML/CFT rules at the member state level.  A weakness in one nation is a weakness in all, as a weakness allows illicit funds to enter legitimate financial channels and spread across the EU.  Second, the EU cites the rising level of cross-border crime.  A supervisory body is needed to address these transnational crimes and coordinate cooperation and joint investigations among FIUs.  Third, the EU sees increased risk with certain regulated entities having a presence in many member states, because of the inherent risk of their business and its cross-border nature.  As noted above, the EU AMLA would be able to directly supervise their activities, countering the ML/FT risks presented.

As we have blogged, AML and money laundering enforcement in the EU is notable for its emphasis on process, but a general lack of actual prosecution of individuals – at least by U.S. standards.  The EU AMLA proposal appears to be a step towards slowly altering that dynamic.

Implementation of Cryptocurrency Travel Rule

As to cryptocurrency, the EU’s legislative proposal builds on the Financial Action Task Force’s (“FATF”) proposed standards for “virtual asset service providers” from June 2019 (which we blogged about here).  To match the FATF’s recommendations, the EU has extended its definition of CASPs, which had previously only included those who offered exchange services and custodial digital wallets, to those who transfer cryptocurrency.

The legislative proposal requires that “all transfers of crypto-assets” be “treated as cross-border wire transfers.”  As such, CASPs must collect and include, in any single or multiple related transfer greater than €1,000, the following information:

• name of the originator and the originator’s account number, where such an account exists and is used to process the transaction;
• the originator’s address, official personal document number, customer identification number or date and place of birth; and
• the beneficiary’s name and account number, where such an account exists and is used to process the transaction.

The originator’s CASP must not only collect, but verify the information on the originator before transfer. The beneficiary’s CASP is also obligated to “implement effective procedures to detect whether the information on the originator is missing or incomplete,” including post-transaction monitoring and risk assessments.  In single or multiple related transfers greater than €1,000, the beneficiary’s CASP must also verify the beneficiary’s information included in the transfer before releasing the cryptocurrency to the beneficiary.

U.S. authorities are also focused on digital assets and the Travel Rule.  In October 2020, the Financial Crimes Enforcement Network (“FinCEN”) proposed regulations – still pending – which would change the Travel Rule under the Bank Secrecy Act by lowering the applicable monetary threshold from $3,000 to $250 for collecting, retaining, and transmitting information related to international (but not domestic) funds transfers. The proposed regulations also would make clear that the Travel Rule applies to transactions involving convertible virtual currencies, as well as transactions involving digital assets with legal tender status, by clarifying the meaning of “money” as used in certain defined terms.  Generally speaking, industry has objected to this proposal by FinCEN, stressing the lack of available technology which would enable real-world compliance.

Proposed EU-wide EBA Guidelines for AML/CFT Compliance Officers

This objectively sizable upgrade of the EU’s AML framework will require more than just an enhancement and expansion of the existing cadre of AML-focused government employees at the national and transnational levels. As in the United States and elsewhere, the front-line work of AML compliance in the EU is typically done by private sector employees of financial institutions.  Acknowledging that reality, the EU also has turned its focus recently to the key role of compliance officers.  Specifically, the European Banking Authority proposed in late July new EU-wide guidelines for AML/CFT compliance officers (“Guidelines”).

In the Guidelines, presented for public consultation before adoption, the EBA emphasizes the need for compliance officers with seniority, competency, and independence.  Under the guidelines, a compliance officer should not only have a reputation for “honesty and integrity,” but should also have the “necessary AML/CFT skills and expertise” both in general and for the specific risks associated with the business.  In terms of independence, the compliance officer should not have other business functions that would represent a conflict of interest and should be able to complete their job without interference and with a direct line of communication to the managing body of the financial institution.

The impetus toward managerial autonomy for compliance officers displayed here is tempered by a willingness to regulate their work product at a granular level elsewhere.  The Guidelines lay out specifically how compliance officers should develop a risk assessment framework, prepare policies and procedures, on-board high-risk customers, monitor compliance, report to the managing body, report suspicious transactions, and develop and conduct training.  In Section 4.2.4(e), for example, the Guidelines lay out in detail the minimum content requirements for an AML/CFT compliance officer’s annual activity report to the financial institution’s managing body. The Guidelines also provide for an additional layer of oversight between the individual financial institution and the state, by mandating appointment of a group-level AML/CMT compliance officer for financial services firms operating as part of a group. As with the establishment of the EU AMLA, the goal is to ensure uniformity, making sure that effective group-wide policies are established and implemented consistently to reduce the risk of bad actors exploiting vulnerable institutions.

Additionally, the Guidelines lay out specifically when and what tasks of the compliance officer can be outsourced.  For example, strategic AML/CFT decisions, like the organization of the AML/CFT system, policies and procedures, and the business-wide risk assessment must be completed by the compliance officer.  Nor can compliance officers outsource the responsibility of reporting suspicious transactions or accepting high-risk customers.  For those tasks not off-limits, the compliance officer must first document the reasons for outsourcing and—after outsourcing—must actively monitor the third-party service provider and report to the managing body when required.

The EBA’s public consultation period on these draft Guidelines will run until November 2, 2021. The EBA is currently soliciting comments via a button on the consultation page of its website. It also plans to hold a (virtual) public hearing on September 28, 2021, requiring advance registration to receive dial-in instructions.

If implemented in this form, it is not clear whether the Guidelines would create increased regulatory or other liability for financial institutions.  It is also unclear whether a compliance officer’s failure to comply could lead to individual liability, a possibility in the United States that we previously blogged about.  Only time will tell whether the Guidelines and the proposed legislation will lead to a more uniform, cohesive, and cooperative AML/CFT system at the institutional, member state, and EU-level.