Table of Contents:
- What is the 5th Anti-Money Laundering Directive (AMLD5)?
- What is an EU “Directive”?
- Why is AMLD5 necessary?
- A short history: AMLD1 to AMLD6
- How does AMLD5 improve on AML4?
- 5 Key Updates in AMLD5
- Main EU policy changes from AMLD4 to AMLD5
- What is an “obliged entity”?
- AMLD5’s Crypto Definitions
- Which crypto entities must comply with AMLD5?
- Must crypto-to-crypto exchanges comply with AMLD5?
- How does AMLD5 affect the crypto industry?
- The Netherlands’ AMLD5-crypto-regulations
- The United Kingdom’s AMLD5 crypto regulations
- Germany’s AMLD5 crypto regulations
- France’s AMLD5 crypto regulations
PART I: THE EU’S 5TH ANTI-MONEY LAUNDERING DIRECTIVE (AMLD5)
What is AMLD5?
The 5th Anti-Money Laundering Directive (AMLD5) is an update to the European Union’s anti-money laundering (AML) legal framework. It was first published on June 19th, 2018 in the Official Journal of the European Union as an iteration of the 4th Anti-Money Laundering Directive (AMLD4).
The AMLD5, also known as 5AMLD or 5MLD, came into effect on July 9, 2018, and mandated the European Union (EU) bloc’s 28 member countries to transpose (transfer) its requirements into domestic laws before a deadline of 10th of January of 2020.
AMLD5 was followed a few months later in November 2018 by the 6th Anti-Money Laundering Directive (AMLD6), which is primarily also an update of AMLD4, and must be transposed by the EU countries on 3 December 2020 latest.
What’s an EU “Directive”?
An EU directive is a legislative act that establishes a common goal for all EU member states to achieve. Each country is given the flexibility to devise its own laws and frameworks on how to meet the directive’s goals.
Like FATF’s 40+9 Recommendations, the European Union’s AML directives are legally non-binding, but failure to adhere to them exposes member states to possible fines and other punitive measures. While the 10 January deadline has come and gone, most EU countries still haven’t met its requirements due to the complex nature of AMLD5 and the regulatory challenges it presents.
Why was AMLD5 necessary?
AMLD5’s introduction was expedited by the 2015-2017 proliferation of high-profile terrorist attacks in Europe as well as political scandals like the Panama Papers that followed in the wake of AMLD4.
During this period, European lawmakers were stunned by the new levels of sophistication money laundering had attained, as well as the facilitating part that cryptocurrencies played and could potentially continue to play if this behavior remained unchecked.
Therefore, the European Union’s lawmakers decided to iterate on AMLD4, in order to provide more robust protection against virtual asset-facilitated crime and greater transparency during crypto transactions.
AML Directives 1-6: A Short Review
The 5th Anti-Money Laundering Directive (2018) is the fourth update of the original EU AML Directive, which was published on June 10th, 1991, a mere two years after the founding of the G7’s Financial Action Task Force (FATF).
Here follows a synoptic overview of AMLD 1 to 6 (1991-2020):
- AMLD1 (June 1991) was Europe’s first AML/CFT framework, introducing preventative actions such as user identification, suspicious transaction reporting (STR) and customer due diligence (CDD) a full 2 years before the EU was officially created.
- AMLD2 (December 2001) updated 1AMLD and brought EU policy in line with FATF’s 40 Recommendations.
- AMLD3 (June 2006) brought EU standards in line with FATF’s revised AML/CFT policy and applied it to lawyers, accountants, casinos and real estate agents.
- AMLD4 (June 2015) resolved ambiguities in the 3rd Directive (which hadn’t been updated for a decade and strengthened global AML/CFT efforts by consulting the comprehensive FATF Standards update in 2012. AMLD4 had to be transposed by member states two years later, by 26 June 2017.
- AMLD5 (June 2018) updated the 4th Directive and introduced new requirements for cryptocurrencies, UBO registers, and prepaid card transaction limits. It had to be transposed by countries before 10 January 2020.
- AMLD6 (November 2018) updates both AMLD4 and AMLD5, broadens the scope of criminal liability to legal professionals, introduces maximum jail sentences of 4 years, updates the list of predicate offenses and imposes tougher penalties for AML transgressors. AMLD6 has a self-imposed deadline of 3 December 2020 for countries to transpose its measures into local law.
How does AMLD5 improve on AMLD4?
AMLD5’s legislation bolsters AMLD4 in specific areas:
- It updates and improves the EU’s current anti-money laundering (AML) and counter-terrorism funding (CFT) policies
- It closes AML4 loopholes still being exploited by financial criminals
- It brings the European Union bloc’s AML/CFT efforts in line with the new FATF Standards as updated in June 2019.
- However, there is still no provision for a European “crypto travel rule” as introduced by the FATF’s amended Recommendation 16 on Wire Transfers last year.
Top 5 AMLD5 Updates
- Obliged entities: Adds fiat-to-crypto companies and custodian wallet service providers
- Customer due diligence (CDD): Now required for funds from high-risk third countries
- Purchase Identification: Lower threshold to identify e-money and prepaid card buyers
- UBO Register: Now accessible to the public and mandatory for EU companies to review
- PEP screening: Members must list public offices and functions to help identify “politically exposed persons”
What are the main AMLD4-to-AMLD5 policy updates?
- AMLD5 now gives the general public access to beneficial ownership information of EU companies.
- The Ultimate Beneficial Owner (UBO) register must now include trusts and be publicly available and interconnected across member states. It is now also obligatory to consult the register when performing AML due diligence.
- A lower transaction threshold for electronic money (e-money) and prepaid instruments like prepaid (top-up) cards: down from €250 to the new €150 Euro limit.
- Crypto companies: Fiat-to-virtual currency exchanges and custodian wallet providers are now treated as “obliged entities”. They must, therefore, adhere to the same AML/CFT, KYC and data-sharing requirements as traditional financial institutions, such as monitored transactions and customer due diligence.
- These crypto entities must also be registered with each EU member country’s competent authorities, for example, Germany’s BaFin, or the UK’s Financial Conduct Authority (FCA).
- Also treated as obliged entities: art dealers and estate agents that act as trade intermediaries where the value of the combined transaction exceeds €10,000.
- Entities that provide services as a professional activity or main business to auditors, financial accountants, and tax advisors.
- Improved powers for and cooperation between financial supervisory authorities (FSAs) and Financial Intelligence Units (FIUs).
- Enhanced Customer Due Diligence (EDD) must be carried out when dealing or transacting with high-risk third countries.
- Obliged entities are now able to use eiDAS-compliant technology to carry out Customer Due Diligence (CDD) for AML/CFT purposes.
- For the benefit of obliged entities, EU nations must create an up-to-date database of national public offices and functions in order to identify politically exposed persons (PEP).
- AMLD5 brings an end to anonymous bank accounts, savings accounts, and safety deposit boxes in the EU.
What is an AMLD5 “obliged entity”?
AMLD4 introduced the term “obliged entity”, modifying it from 3AMLD’s “designated entity” definition to bring certain financial institutions slipping through the cracks under its regulatory AML/CFT scope. The 5AMLD took it a step further and now also considers certain cryptocurrency-dealing companies and a few other enterprises to be in its scope.
Currently, “obliged entity” refers to specific financial institutions and businesses, which are:
- Credit institutions
- Financial institutions and money service businesses (MSBs)
- Financial and legal entities: auditors, accountants, tax advisors, notaries, independent legal professionals, trust and company service providers, gambling service providers and individuals who conduct cash transactions exceeding €10,000
- Fiat-to-crypto exchanges and custodian wallet providers
- Art dealers, and real estate agents acting as transaction intermediaries where the combined value is over €10,000
PART II: EU MEMBERS’ RESPONSE TO AMLD5
How will the European Commission enforce AMLD5?
While countries were given up to 2 years to implement AMLD4 before infringement charges were issued, the same courtesy will likely not be afforded to 5AMLD transgressors.
Valdis Dombrovskis, the Executive Vice-President of the European Commission (EC), the EU’s executive branch which is also responsible for legislation, revealed in middle January 2020 that the European Commission is taking AMLD5’s implementation very seriously, already drawing up infringement procedures only a month after the January 2020 deadline.
Countries that continue to ignore taking the necessary AML/CFT compliance measures are destined to have their day in the Court of Justice, where if found guilty they may be handed severe financial penalties that might continue until they improve to the satisfaction of the EC.
February 2020- EC send AMLD5 non-compliance letters to 8 EU members
On 20 February 2020, the European Commission issued letters of formal notice that urge 8 EU Member States to transpose the 5th Anti-Money Laundering Directive. The Euro
Letters were sent to the Netherlands, Portugal, Romania, Cyprus, Hungary, Slovakia, Slovenia, and Spain for not having notified the EC of any implementation measures for the 5th Anti-Money Laundering Directive.
The commission cited the need for all Member States to comply so that no legislative acts occur and impact the whole EU.
According to the Commission, the Member States mentioned failed to timely transpose the Directive 10 January 2020 and the EC encourages them all to do so urgently. Without “a satisfactory response” from the Member States within 2 months, the Commission may decide to send them reasoned opinions.
How are EU countries implementing AMLD5?
While the 10 January deadline has come and gone, most EU members are still not compliant with AMLD5 (or even AMLD4 in some cases).
While AML directives apply to all EU countries, member nations are notoriously slow to implement the necessary changes.
For example, countries were so lax to adopt AMLD4’s challenging measures that the European Commission had to launch infringement procedures against 20 nations, ultimately reporting Ireland, Romania, and Luxembourg to the European Court of Justice for non-compliance.
Yet, even in 2020, some EU countries are still not fully compliant with AMLD4.
While AMLD4 presented a more seismic shift in the EU’s regulatory approach as its first new AML/CFT directive in nearly 10 years, and AMLD5 in many ways merely iterates on AMLD4, it is likely that the majority of EU countries will be slow to build domestic frameworks that fully comply with AMLD5, preferring where possible to take a wait-and-see approach. They will not be afforded the same lengthy stay of execution as under AMLD4 though, as the EU’s letters of notice on 20 February clearly show.
PART III: AMLD5 vs CRYPTOCURRENCIES
The stringent new regulatory approach to deal with cryptocurrency exchanges, treating them as “obliged entities” (see above), is probably the AMLD5’ s most controversial policy change. This follows the adoption of FATF in June 2019 of the U.S. Bank Secrecy Act’s so-called “crypto travel rule” as well the United States’ Financial Crimes Enforcement Network (FinCEN)’s CVC Guidance in May 2019. Other U.S. regulators like the SEC and CFTC have also stepped up virtual asset policing, which is set to continue with the proposed Crypto-Currency Act of 2020.
AMLD5’s Crypto Definitions
The 5th AMLD defines virtual assets and related activities now as follows:
- Cryptocurrency: “A digital representation of value that can be digitally transferred, stored or traded and is accepted by natural or legal persons as a medium of exchange”.
- Virtual Currency Exchange Platforms (VCEPs): “Providers engaged in exchange services between virtual currencies and fiat currencies” – in other words, crypto-fiat currency exchanges
- Custodian Wallet Providers (CWPs): Providers of “custodian wallets” or crypto wallet services; where they hold the users’ private keys “to hold, store and transfer virtual currencies”.
- Beneficial Owners: “Any natural person(s) who ultimately owns or controls the customer, and/or natural person(s) on whose behalf a transaction or activity is conducted.”
Which crypto businesses must comply with AMLD5?
As previously mentioned, the European Commission now considers certain cryptocurrency businesses to be “obliged entities”.
- “Providers engaged in exchange services between virtual currencies and fiat currencies” (VCEPs) – cryptocurrency exchanges that take traditional currency from users and convert it into virtual assets such as Bitcoin.
- “Custodian wallet providers” (CWPs) – cryptocurrency wallet services that keep the private keys of its customers
The AMLD5 updates now mean that “VCEPs” and “CWPs”:
- are considered to be financial institutions
- are therefore subject to the same AML/CFT requirements as traditional financial institutions
- are now legally required to register their businesses with local authorities in the EU
- are required to implement transparent, Know-Your-Customer (KYC), Customer Due Diligence (CDD) and Suspicious Activity Reporting (SAR)
- must be able to hand over identifiable user information to Financial Intelligence Units (FIUs) if requested, such as real names and addresses.
Must crypto-to-crypto exchanges comply with AMLD5?
AMLD5 does not apply to crypto-to-crypto exchanges, however, these entities are covered by the FATF’s Recommendation 16 “crypto travel rule”. This discrepancy between the FATF 40+9 Recommendations and AMLD5 means that some EU countries will play it safe and go the extra mile, introducing more crypto regulations than what AMLD5 necessitates.
How does AMLD5 impact the crypto industry?
The new changes represent a sea change for anonymity-seeking users and exchanges. Cryptocurrencies like Bitcoin are by design either anonymous or pseudonymous and don’t require real-identity information to be transmitted to another party- only a public address, which can be generated ad infinitum by wallet owners.
A recent study showed that over 60% of the Top 120 exchanges used weak or “porous” AML/KYC processes. This indicates clearly that the majority of virtual asset exchanges are ill-prepared and poorly equipped to handle the changes that AMLD5 brings.
A big reason is purely financial: The crypto exchange industry is dominated by market leaders Coinbase and Binance, who have clearly separated themselves from the pack, while most other exchanges are small and operating on tight margins that leave little room for additional overheads.
AMLD5 will require innovation which will come at a cost, there is no doubt. There is a risk that exchanges’ volumes could get hit due to the loss of anonymity but the other side of the argument is that it could be replaced by institutional flows.
Finally, the EU’s General Data Protection Regulation (GDPR) act, which is a regulation and therefore legally different from a directive, and e-privacy laws pose a complex dilemma in this context. There is a long-standing debate globally over whether AML supersedes privacy and different countries have different stances.
The 5th directive will have its biggest impact in jurisdictions that have little to no existing AML regulatory framework, where exchanges have been operating with impunity.
The significant financial, technical and privacy-related burdens that AMLD5 brings with it has already forced the hand of some exchanges, who have either closed shop or chosen to relocate as a direct result.
One of the biggest issues for affected virtual asset businesses is that the AMLD5 is ambiguous enough that it can be interpreted in different ways, as EU nations see fit. This means that fiat-to-crypto exchanges and custodian wallet providers need to conduct an expensive and difficult country-by-country approach. For example, crypto-related obliged entities may have to register with the local authorities in each country, such as Germany’s BaFin and the UK’s FCA.
Additionally, the timing of exactly when each country will issue regulation is unknown, despite the deadlines. So for an exchange to be “fully compliant” if it operates in 26 countries, in theory, all 26 regulators need to have announced and implemented its respective regulation.
PART IV: HOW DOES AMLD5 AFFECT EU COUNTRIES’ CRYPTO POLICIES?
The EU’s 27 members (following the UK’s Brexit departure) are culturally very diverse and this is also reflected in the approaches they take with legislation such as AMLD5. Only a handful of members have implemented compliant frameworks at the time of the AMLD5 deadline, such as Germany, Italy and the Netherlands.
“The complexity of accessing Europe for any industry is exacerbated by the lack of a common regulatory regime. EU directives and regulations often have enough room for interpretation for national governments to apply their own political agenda. As a result, regulation of the cryptocurrency sector across Europe ranges from the more permissive, often in offshore locations, to the highly restrictive.”
Some countries (e.g. Switzerland, Malta, and Gibraltar) are implementing forward-looking measures that go beyond the directive’s AML scope, while some Eastern European members are lagging far behind. Of major concern to all countries is how the data-sharing mechanism with FIUs might expose parties to a breach of the EU’s General Data Protection Regulation (GDPR).
The United Kingdom, Netherlands, and Germany have used AMLD5 to take vastly different approaches to crypto regulation in its countries, which could force crypto businesses to spend much more on compliance licenses and human resources.
The Netherlands’ AMLD5 crypto response (Q1 2020)
The Netherlands drew criticism for its exorbitant proposed country license fee (from the Dutch Central Bank) for custodian wallet providers or parties that offer crypto exchange services in or from the Netherlands. A license could cost up to 150,000 euros in order to comply with the WWFT (Dutch AML/CFT act). The “in or from” criteria applies to any crypto business with Dutch customers, therefore it is likely that most smaller players will simply withdraw services to Dutch residents. The law is currently being discussed in the Dutch parliament.
As a direct result, the crypto derivatives exchange Derebit announced a day after the January 10, 2020 deadline that it would move its operations to Panama in order to save time, cost and protect users’ privacy. This follows the 2019 migration of KyberSwap from Malta to the British Virgin Islands and the closing of UK-based startup BottlePay.
The UK’s AMLD5 crypto response(Q1 2020)
In the UK, which has since left the EU with Brexit at the end of January, the Financial Conduct Authority (FCA) took over on 10 January 2020 as the UK’s main AML/CFT supervisor of crypto assets and related businesses and activities. They are now responsible for regulating crypto exchanges, custodian wallet providers, Bitcoin ATMs and token issuers.
The FCA declared in February that it would postpone the country’s FATF’s R.16 June 2020 implementation deadline to allow VASPs more time to implement suitable solutions. This is a significant development, as the FCA is one of the world’s strongest and most established regulators of the cryptocurrency industries. Therefore, their postponement may influence other countries to follow suit.
Germany’s AMLD5 crypto regulatory response (Q1 2020)
Due to their influence in the EU, Germany usually leads by example when it comes to implementing EU regulations. Germany has therefore established a rigorous licensing framework for locally operating crypto businesses, who now need to register with German regulator BaFin since 1 January 2020.
As part of a “catch-all” regulatory measure, digital assets such as virtual currency payment tokens and security tokens have also been defined by Germany as financial instruments, thereby now subjecting cryptocurrency businesses and applications such as rewards points to more traditional financial regulation. However, e-money is not defined as a crypto asset.
In neighboring Austria, it gets even worse for regulation dodgers. Digital exchanges could face fines of up to 200,000 Euros if they don’t register for a license.
France’s AMLD5 crypto regulations (Q1 2020)
French AML/CFT regulator AMF (Autorite des marches Financiers) is developing a “common sense” licensing framework with opt-in features, in accordance with its PACTE (“Action Plan for Business Growth and Transformation”) draft bill. The bill is particularly focused on Initial Coin Offerings (ICO’s)such as an optional visa regime for ICOs to help them raise funds compliantly.
However, AMF registration is mandatory for service providers who offer custody services to third parties or transact in crypto-to-fiat exchanges. These parties will also have to follow a strict AML core compliance structure.
AMLD5 perfectly highlights the regional and technical challenges involved in creating a reasonable and practical global compliance framework to regulate virtual assets and hopefully can inspire other regional blocs to draw from best practice while avoiding common pitfalls.
Together with other regulatory requirements such as the FATF travel rule, AMLD5 is however unmistakably pushing European countries and crypto service providers towards a more transparent regime of virtual asset transacting and investing.
AMLD5 also compels the EU to play catch-up with Asian countries like Japan and Korea (who are currently leading the world in AML/CFT compliance) and China, who will release their central bank digital currency (CBDC) soon.
For crypto businesses looking to do business with EU-based customers, whether institutional or individual, it is best to take a long view and implement a comprehensive AML/KYC procedure and R.16 compliance mechanism in order to future-proof regional operations. Virtual asset regulations are here to stay and the longer companies abstain from dealing with them, the more difficult it will become.
For entities looking to quickly and cost-effectively deploy a mechanism to transmit data per Travel Rule or FATF Rec. 16 requirements, Sygna Bridge offers a timely solution.
Sygna Bridge is a simple API messaging platform that helps VASPs share compliance-required transactions with counterparts securely and with flexible privacy. To learn more or request a demo, please contact firstname.lastname@example.org.