Zaha Natour, Compliance Officer at BSP. Credits: BSP

Zaha Natour, Compliance Officer at BSP. Credits: BSP

The European Parliament and Council have recently published the AML/CFT package, marking a significant overhaul with three key legal texts at its core. This initiative aims to combat money laundering, terrorist financing, and financial system abuse, and to pave the way for establishing an EU-wide AML/CFT authority.

On 19 June 2024, the European Parliament and Council published the new anti-money laundering, its predicate offences and/or countering the financing of terrorism (“AML/CFT”) package (hereinafter the “AML/CFT package”) — an extensive reformative legislative package — that consists mainly of three legal acts:

, aimed at preventing money laundering and/or terrorist financing (“ML/TF”) — also known as the EU AML ‘Single Rulebook’ (“AMLR”). This regulation will come into effect on 10 July 2027, except for specific new obliged entities, for whom it will apply from 10 July 2029.

, concerning mechanisms to prevent financial system abuse for ML/TF (“AMLD6”). This directive will be applicable as of 10 July 2027.

, establishing the authority for AML/CFT (“AMLAR”) in the EU. This regulation will take effect from 1 July 2025. However, specific provisions will apply earlier, on 26 June 2024 and 31 December 2025.

The AML/CFT package also includes a fourth legal act—, also known as the “Funds Transfer Regulation”, which relates to information accompanying transfers of funds and certain crypto-assets to enhance traceability and combat ML/TF. This regulation, that will not be addressed further on this occasion, is a recast of , and it will become fully applicable on 30 December 2024.

Critiques of the Current AML/CFT Framework

Currently, the EU upholds a robust AML/CFT framework, successively governed by (the 5th AML Directive), and its antecedents. But why is it imperative to alter the status quo, and what is the rationale behind this paradigm shift? Despite considerable progress in tackling ML/TF-related issues, EU Member States have voiced concerns about significant challenges encountered in their collective efforts to combat ML/TF, inter alia:

- Diverging implementation across EU Member States, which posed challenges in enforcing consistent AML/CFT-related measures, considering the global nature of financial crimes and the increasing integration of financial flows within the single market.

- Insufficient enforcement instruments to detect and penalize illicit financial activities effectively; hindering the framework’s ability to deter criminals.

- The lack of a unified AML/CFT framework across the Union, resulting in inconsistent AML/CFT supervision and impeding cooperation among EU Financial Intelligence Units (“FIUs”).

Strengthening AML/CFT Measures in the EU

The newly introduced AML/CFT package seeks to revamp the EU’s jigsaw of AML/CFT rules. It establishes a comprehensive institutional framework at both national and, where applicable, supra-national levels. By transposing its measures into national legislation, the package’s explicit purpose is expected to be realized. This purpose is threefold:

- It mitigates systemic vulnerabilities and closes loopholes that criminals exploit to launder illicit proceeds or finance terrorist activities within the financial system.

- It harmonizes the fragmented AML/CFT legislative framework across EU Member States through a single rulebook.

- It establishes the EU AML/CFT Authority (“AMLA”), a decentralized EU regulatory body to ensure the uniform application of the EU’s AML/CFT rules and coordination among the national authorities of Member States.

Key Elements of the Package: A Simplified Guide

1.     AMLR

The AMLR broadens the current AML/CFT framework’s scope at scale, by integrating and codifying essential provisions that significantly strengthen the AML/CFT-related preventive tactics throughout the EU. These provisions address:

- the scope of application on obliged entities;

- internal policies, controls, and procedures of obliged entities;

- customer due diligence (“CDD”);

- beneficial ownership transparency;

- reporting obligations;

- information sharing;

- data protection and record retention; and

- measures to mitigate risks deriving from anonymous instruments.

Extended scope of obliged entities

The scope of entities subject to AML/CFT requirements, referred to as ‘obliged entities’, has been extended, covering additional sectors. Despite certain exemptions, the following entities are now within the AMLR’s ambit:

- crypto-asset service providers (“CASPs”) with transactions amounting to at least EUR 1,000;

- traders involved in high-value goods trading, such as jewellery, luxury watches, precious metals and stones, aircraft, motor vehicles, watercraft, artworks, etc.;

- professional football clubs engaged in certain types of transactions and football agents. Member States may exempt smaller clubs if they can demonstrate low risk, for example, those with a turnover of less than EUR 5 million in the preceding two years;

- investment migration operators are defined as those offering services to third-country nationals seeking residence rights in a Member State in exchange for investments;

- non-financial mixed holding companies; and

- gambling service providers, subject to certain exemptions.

Internal policies, procedures, and controls

In-scope entities are to develop comprehensive internal policies, procedures, and adequate safeguards to mitigate and monitor, on an ongoing basis, their exposure to ML/TF risks. The management of these entities is obliged to assign two pivotal roles: (i) a designated ‘Compliance Officer’ and (ii) a ‘Compliance Manager’ who is a board member — both are globally accountable for ensuring adherence to AML/CFT rules as outlined in the AMLR. 

Reinforcement of CDD measures

AMLR fortifies, in a targeted manner, the CDD requirements for obliged entities by instituting specific and rigorous preventive measures for scenarios necessitating enhanced due diligence (“EDD”) beyond standard or simplified measures. These scenarios, in part, may include the following:

- cross-border correspondent relationships for CASPs;

- financial and credit institutions engaging with high-net-worth individuals possessing assets exceeding EUR 50 million and assets under management surpassing EUR 5 million; or

- occasional transactions and business relationships involving high-risk third countries, based on a risk assessment aligned with the Financial Action Task Force (“FATF”) warning lists.

EU-wide limit for cash payments

In-scope entities are required to comply with the new EUR 10,000 cash payment limit. Member States retain the flexibility to set a lower maximum, if deemed necessary, due to specific national risks, if any, subject to a three-month notification period. For occasional cash transactions of at least EUR 3,000, parties must be identified and beneficial owners verified.

Consolidating and reinforcing beneficial ownership transparency

In-scope entities must implement streamlined beneficial ownership transparency for their clients and counterparties. While the concept of beneficial ownership remains the same, a clearer framework has been designed for identifying individuals who ultimately own or control legal entities, including those with multi-layered or complex ownership structures. The threshold for ownership interest, shares, or voting rights is set at 25% or more. Member States should use a risk-based approach for categories of entities with high risks of ML/TF. They can propose a threshold of no more than 15% to the EU Commission. However, the EU Commission has the authority to set a higher threshold based on risk, as long as it is lower than 25%.

To effectively manage the risks associated with foreign legal entities and arrangements, it is crucial that, in cases of medium-high risk of ML/TF, entities based outside the EU register their beneficial ownership information in the central register (in Luxembourg, the so-called 'Register of Economic Beneficiaries' (Registre des Bénéficiaires Effectifs) (“RBE”)). This registration should be a prerequisite for initiating or continuing a business relationship with an obliged entity in the relevant EU Member State. Additionally, stricter requirements have been thoroughly established for reporting discrepancies in beneficial ownership registers. Further, provisions on data protection and record retention have been revised to allow competent authorities access to information on beneficial ownership held by in-scope entities.

Additional potential countermeasures and “high-risk third countries”

Obliged entities are required to apply EDD measures to occasional transactions and business relationships involving third countries regarded as high-risk. Either the obliged entities or the EU Member States, if justified by high-level risk, may adopt additional countermeasures to protect the Union’s financial ecosystem from potential ML/TF risks. If Member States consider adopting further countermeasures, they must notify the EU Commission thereof, which may revoke such measures if deemed unnecessary. 

2.     AMLD6

The AMLD6 widens the regulatory scope of money laundering offences, clarifies definitions related to those offences and their perpetrators, and enforces strict penalties across Member States. It covers provisions that could not be included in the AMLR: (i) registers, (ii) FIUs, (iii) AML supervision, (iv) cooperation, and (v) data protection. The following summarizes the major aspects of the AMLD6:

Central registers of beneficial ownership

AMLD6 provides, in plain language, guidelines for recording and maintaining beneficial ownership information in central registers (at present, as aforementioned, Luxembourg maintains the RBE). These registers include details about the beneficial ownership of legal entities and legal arrangements, as well as information about nominee arrangements and foreign legal entities. This information must be accurate, up-to-date, and verified. Further, records must be retained for at least five years, with an additional five-year period in the case of a criminal investigation pursuant to Article 10. 

Moreover, these registers are reliable databases for beneficial ownership information. They cross-check the data with financial sanctions and ensure, within a reasonable time, that the submitted information is accurate and consistent. If there are any suspicious issues, registration can be withheld. In cases of uncertainty, authorities have the right to conduct on-site inspections to identify and/or verify the rightful beneficial owner.

Access to the registers is granted to FIUs, other competent authorities, self-regulatory bodies, and obliged entities, all free of charge and in digital form. Also, public access is conditional and granted to persons with a legitimate interest (e.g., the press).

National AML supervision, central account registers, and FIUs

AMLD6 sets out rules to facilitate greater collaboration between FIUs and other competent authorities (i.e., AMLA, Europol, Eurojust, and the European Public Prosecutor’s Office). Hence, its key objectives include enhancing efficiency in addressing complex or cross-border financial crime scenarios through fostering reciprocal cooperation and information exchange. Moreover, the directive aims to empower FIUs with enhanced capabilities to detect and track instances of ML/TF, effectively.

Notably, AMLD6 entails streamlining the organization of national AML/CFT systems by delineating exhaustive guidelines to promote mutual cooperation between the FIUs and national supervisors. This involves the supervision of obliged entities by separate national supervisors relying on a risk-based approach, granting them the authority to conduct crucial off-site, on-site, and thematic checks, as well as any other inevitable inquiries and assessments, as per Article 40.

Furthermore, a single central register (exemplified by the central register of bank accounts (CRBA) in Luxembourg) will encompass information pertaining to accounts identified by International Bank Account Numbers (“IBANs”), including virtual IBANs, securities accounts, and CASPs’ accounts. These central account registers in Member States are poised to be interconnected, thereby facilitating the efficient exchange of information with the FIUs.

Statistical reporting, supervisory colleges, and regulatory technical standards

Member States are required to compile and publish statistics on AML/CFT to evaluate their effectiveness. Equally important, AMLD6 stipulates that Member States establish supervisory colleges in both the financial and non-financial sectors within the EU, as well as with counterparties in third countries. In this regard, AMLA will issue guidelines that Member States should incorporate into their legal frameworks.

3.     AMLA

AMLA is the new decentralized body of the EU, which will be based in Frankfurt am Main, Germany, and is expected to be fully operational by July 2025. Its purpose is to strengthen the AML/CFT framework, ensure high-quality supervision, promote harmonization, and facilitate information exchange among FIUs and other competent authorities within the Union. Its function is twofold:

Supervision:

AMLA combines both direct and indirect supervisory competencies over financial entities. It directly supervises ML/TF high-risk entities, including CASPs, and indirectly supervises other financial entities by collaborating with national supervisors. While national supervisors will oversee most entities, those under AMLA’s direct supervision should expect heightened scrutiny. In the non-financial sector, AMLA mainly coordinates with national supervisors and encourages alignment in their supervisory practices.

Harmonization and coordination:

AMLA is required to follow a standardized supervisory methodology. Given the cross-border nature of ML/TF, AMLA will set up an integrated mechanism with national supervisors to ensure that relevant entities in the financial sector abide by AML/CFT-related obligations; it will also support those in the non-financial sector. Along with that, AMLA will issue guidelines, recommendations, and opinions to advance consistency among supervisors.

In addition, AMLA is not only responsible for establishing and maintaining a central AML/CFT database to facilitate AML supervisory activities but it is also entrusted with general powers such as coordinating and supporting FIUs –  which include, among other things, participating in a joint analysis of ML/TF and managing the FIU’s information exchange system (FIU.net).

Luxembourg: Horizons Ahead

Luxembourg's primary legal AML/CFT instruments encompass the AML Law of 12 November 2004, as amended, the Grand Ducal Regulation of February 2010, as amended, and the Law of 13 January 2019 related to the RBE. These instruments, altogether, are supported by a range of AML/CFT circulars and guidelines issued by competent national authorities (e.g., the Commission de Surveillance du Secteur Financier (CSSF)).

The AML/CFT framework in Luxembourg, like that of any other EU Member State, is heavily influenced by EU harmonization efforts. Once the AML/CFT package is live, in the not-too-distant future, Luxembourg, as a member of the OECD and a jurisdiction within the FATF, will be de facto bound to align its respective legal framework with the provisions of the AMLR and AMLD6 within three years and the AMLAR within one year.

Conclusions

In conclusion, the new AML/CFT Package bolsters the EU’s efforts against ML/TF through stricter measures and enhanced transparency. Member States are now assessing the necessary legislative amendments needed to transpose this package into their national laws. With the legal texts finalized, it is crucial to identify operational gaps and plan actions accordingly for the upcoming Fall. This proactive approach will ensure compliance and fortify the financial environment. Nonetheless, the real-world impact hinges on the success of the implementation, which remains to be seen.

For any further information, visit our website .