In this article, Diane Bugeja, Senior Associate, and Peter Mizzi, Compliance and AML Advisor at Camilleri Preziosi Advocates, assess the upcoming thorough and sweeping changes to be made at EU level with regards to combatting financial crime related to the Money Laundering and Funding of Terrorism. In particular, they examine how the different legislative proposals, such as the introduction of harmonised EU single rulebook and a stand alone AML/CFT supervisor will strengthen the fight against financial crime within the bloc.


On 20 July 2021, the European Commission (the 'Commission') formally announced its proposal (the 'Proposal') for a regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of Money Laundering or Terrorist Financing ('ML/FT')1. The proposal consists of an aspiring package that seeks to overhaul the current European Union ('EU') Anti-Money Laundering and Countering the Financing of Terrorism ('AML/CFT') regime, focusing on the consolidation and harmonisation in an attempt to overcome existing gaps and loopholes in the current framework, most prominently at the cross-border level. This article will mainly focus on the introduction of new rules, updates and reforms, particularly relevant to reducing cross-border crime among Member States ('MS'), originating from the following legislative proposals;

  • this proposal for a Regulation on the prevention of the use of the financial system for the purposes of ML and FT;
  • a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/8492;
  • a proposal for a Regulation creating an EU Authority for anti-money laundering and countering the financing of terrorism ('AMLA')3; and
  • a proposal for the recast of Regulation (EU) 2015/847 expanding traceability requirements to crypto-assets4.

Shortcomings with the existing EU AML/CFT framework

Illicit flows emanating from financial crime represent a severe threat to the reliability and stability of the EU economy and the financial system, as well as to the safety and security of EU citizens. Estimates from Europol, indicate that around 1% of the EU's Annual Gross Domestic Product is 'detected as being involved in suspect financial activity'.

This comes as no surprise when considering the major scandals that have rocked the Union over the last decade. In particular, the Danske Bank5, Deutsche Bank AG6 and Latvia ABLV Bank AS7 scandals have seriously damaged the integrity and reputation of the EU as a financial services hub.

This was further corroborated by the Commission in 2019, which revealed that criminals have long exploited disparities in AML/CFT regimes among MS. Thus, EU action is warranted to ensure a fair playing field throughout the Union, with obliged entities in all Member States subject to a consistent and harmonised set of AML/CFT obligations. Moreover, given the cross-border nature of financial crime, it is critical that member states, national supervisors, and Financial Intelligence Units ('FIUs') cooperate and coordinate with each other in sharing and dissemination of intelligence.

1. A regulation establishing an EU AML/CFT authority (in the form of a decentralised EU regulatory agency)

The proposal for a Regulation creating the Anti-money laundering authority ('AMLA') establishes an integrated, EU-level supervisor for combatting ML/FT whilst also acting as a support and cooperation framework for FIUs (which takes the form of a Directive as seen below).

Following the successful implementation of the EU AML single rulebook (discussed hereunder), the AMLA will be at the heart of a revamped EU AML/CFT supervisory system, directly supervising the highest-risk financial institutions that operate in a large number of MS. Through the AMLA's coordination of national supervisors, it will indirectly supervise the remaining financial and non-financial entities that fall under the EU AML/CFT framework.

The AMLA will possess the power to act on its own behalf if it is found that the local supervisory regime is not enforcing EU law. Therefore, it is anticipated that regulatory emphasis will shift toward those MS where local regulators have been traditionally less active or effective. Further where an entity, not directly supervised, is exposed to very substantial ML/TF risk, then financial supervisors need to provide formal notification to the AMLA.

With respect to FIUs (national regulators), the AMLA will be able to obtain relevant information and documentation for it to perform its tasks, as well as issue guidelines and recommendations. AMLA is also expected to provide technical advice on the development of standards and future rules to the European Parliament, European Council and the Commission.

The aforementioned proposals provide the AMLA with the ability to bolster AML/CFT compliance among MS, directing its attention to high-risk areas and situations where national supervision is lacking, as necessary.

2. A new regulation on AML/CFT, containing directly applicable rules, include revised EU list of entities subject to AML/CFT rules (known as Obliged Entities)

Data extracted from Commission reports in 2019, confirmed the necessity for the introduction of harmonised regulations across the internal market. These studies found that, while the provisions of Directive (EU) 2015/849 and Directive (EU) 2018/843 are broad, their lack of direct applicability, and delayed transposition, resulted in various interpretations and fragmentation across MS. Consequently, issues with the existing EU AML/CFT frameworks has made it difficult to tackle cross-border financial crime. The Commission notes that scandals across MS disrupt the functioning of the single market and leading to reputational damage. In a bid to avoid regulatory divergences and other aforementioned issues, going forward AML/CFT rules applicable to obliged entities will take the form of regulation as opposed to a directive.

However, the proposal does not merely mean a transfer of existing provisions from AML/CFT directives to a regulation but rather several changes of substance are made in order to bring about uniformity and convergence in the application of AML/CFT rules across the EU.

Increased scope of obliged entities:

Crypto-Asset Service Provides ("CASPs"), unregulated crowdfunding platforms, creditors for mortgage and consumer credits and associated intermediaries as well as investment migration operators are now considered obliged entities and thus subject to the AML/CFT framework. In addition, AML/CFT requirements will no longer apply to person trading in goods. On the other hand, dealers in precious metals and stones are often considered high risk in terms of ML/FT and shall continue applying AML/CFT obligations.

Internal Policies, controls and procedures:

Building on existing EU AML/CFT legislation, the new requirements provide clarity on how obliged entities are to identify, analyse, mitigate and monitor ML/FT risks through the implementation of AML/CFT policies, controls and procedures. Management is to ensure that compliance functions and roles are adequately resourced and take responsibility to ensure that staff are properly trained and aware of the AML/CFT obligations.

Customer due diligence measures:

Most of the existing Customer Due Diligence ('CDD') requirements will take the form of regulatory technical standards provided by the AMLA and will be transferred from the current AML/CFT rules. Despite this, several proposals will provide transparency and further detail on CDD obligations. Harmonised and uniform rules on CDD will reduce national divergence, allow for consistent application and thus create a level playing field across MS that is harder for criminals to misuse or redirect their efforts towards the weakest link in the chain. However, obliged entities are to ensure the application of CDD requirements following a risk-based approach, through evidence-based decision-making processes that target ML/FT risks more efficiently and effectively.
Specific and detailed provisions are laid down on identification and verification processes for natural persons, legal entities, trusts and other legal arrangements, whereas conditions for the use of electronic identification will be clarified. Obliged entities will be required to obtain information on both the source and destination of funds, the estimated amount and economic rationale behind the transactions or activities.

Furthermore, the application of Simplified Due Diligence ('SDD') and Enhanced Due Diligence ('EDD') will be covered in detail, whereas the threshold for applying CDD measures for occasional transactions will be reduced from €15,000 to €10,000, thus triggering additional CDD requirements for entities.

Beneficial Ownership:

Building on existing EU AML/CFT legislation, the proposals for updated beneficial ownership rules will streamline the process of transparency among MS8. The concept of holding adequate, accurate and current beneficial ownership information seeks to address the lack of granularity, which allows criminals to exploit divergent application of rules. To mitigate risks of criminals hiding behind nominee arrangements, new disclosure requirements are introduced for nominee shareholder and nominee directors.

3. A proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/FT purposes, and repealing Directive (EU) 2015/849

The Regulation creating the AMLA and its accompanying Directive provide a support and collaboration system for FIUs, whereby the AMLA will ensure consistent reporting, assist FIUs with a comparative analysis of STRs and also host the FIU.net platform.

The AMLA will create, exchange, and promote intelligence on ways for detecting and analysing suspicious transactions aimed at enhancing the reporting processes and procedures. Furthermore, to facilitate the understanding and collaboration between obliged entities and FIUs, the AMLA will conduct specialised training and provide assistance to both FIUs and obliged entities. Thus, obliged entities will receive assistance and know-how with respect to detecting suspicious activities/transactions and details on how such are to be report to the respective FIUs. Standardised templates and models will be introduced, to enhance and expedite the reporting process and sharing of information between FIUs at a cross-border level. Obliged entities that operate in multiple MS and tasked with reporting several FIUs stand to benefit the most from standardised reporting procedures and templates.

The AMLA will also be tasked with promoting coordinating and collaborating FIUs efforts in MS. The main goal is to enhance knowledge, share best practice examples, and improve threat/vulnerability assessment all of which will contribute to the publications of studies on ML/FT threats, risks, typologies, and methodologies.

As joint analysis and investigations become more commonplace, the Directive clarifies that variations in MS national laws should not affect the capacity of an FIU in cooperating with another EU counterpart. Should an FIU reject to participate in an inquiry must provide justification to the AMLA. As a result, obliged entities can anticipate an increase in FIU requests for customer information.

The Commission will be tasked with the management, maintenance and hosting of FIU.net platform, until the AMLA is fully up and running. Furthermore, the Directive requires MS to sustain and consolidate information and metrics in relation to the function of their AML/CFT frameworks. In particular, data and information pertaining to the number of reports made to the FIU and the underlying predicate offences.

The lack of feedback provided to obliged entities by FIUs following the submission of a suspicious transaction reports has long been an issue. In response, FIUs will be guided on how they are to respond and provide feedback on ML/FT threats, trends and typologies.

Furthermore, the introduction of centralised automated mechanisms will allow FIUs with direct access to the identity information of payment and bank account holders. Accordingly, the Directive pronounces that such mechanisms will be linked to a single access point administered by the Commission and available to all MS.

Such reforms will be of paramount importance toward resolving the challenges of cross-border information transmission. However, in view of increased sharing of information, obliged entities must ensure that information submitted to the FIUs is of sufficient and accurate quality. Overall, these changes will provide obliged entities with much needed cross-border intelligence which can in turn be used to improve internal ML/FT policies, controls, and procedures.

4. Third-country policy and ML/FT threats from outside the Union

The persistent nature of significant strategic deficiencies emanating from third countries outside the Union, poses a significant threat and thus requires a unified mitigating response at the Union level. The updated strategy proposed by the Commission seeks to implement a harmonised and uniform approach at the Union level as well as a detailed determination of external threats on a risk-based manner. Harmonising EU level mitigating measures seeks to protects MS by providing a framework that is directly applicable, consistent and thus reducing national divergencies, which would expose the entire Union's financial system to risks that are continuously evolving.

Hence, obliged entities should be required to apply the whole set of available EDD measures to business relationships and occasional transactions that involve those high-risk third countries to manage and mitigate the underlying risks.

The AMLA will monitor specific risks, trends and methods to which the Union's financial system is exposed and will communicate with the Union's obliged entities about external threats. Guidelines that define external threats will be provided on regular basis to obliged entities.

In an attempt to reduce ML/FT threats from third countries, the Commission will either follow Financial Action Task Force ('FATF') standards in relation to third countries or carry out its own independent assessment. Third countries so identified by the Commission will be subjected to two different sets of consequences, proportionate to the risk they pose to the Union's financial system:

  1. Third countries "subject to a call for action" by the FATF, informally referred to as the 'blacklist' will be identified as high-risk third countries by the Commission. EDD measures, as well as country-specific countermeasures, will be used to them to appropriately minimise the danger.

  2. Third-country AML/CFT regimes with compliance deficiencies, defined as "subject to increased monitoring" by the FATF and informally referred to as the 'greylist', will be identified by the Commission and subject to country-specific EDD measures proportionate to the risks.

Furthermore, the Commission may also identify third countries, which are not listed by the FATF, but which pose a specific threat to the Union's financial system and which, on the basis of that threat, will be subject either to country-specific EDD measures or, where appropriate, to all EDD measures and to countermeasures.
Prospectively, additions to the EU's list are expected to align with that of the FATF and hence most obliged entities will already have such jurisdictions classified as high risk. However, they may not currently automatically trigger EDD and thus obliged entities must prepare for more of their customer base to require automatic EDD.

5. A recast of the 2015 Regulation on Transfers (Regulation 2015/847)

The recast of Regulation 2015/847 is closely connected with the proposal for an EU AML/CFT Regulation, whereby crypto-asset service providers will be obliged to conduct due diligence on their customers. In addition, anonymous crypto-asset wallets will be prohibited in the EU.

Present EU rules on the regulation of money transfers have excluded the facet of crypto assets. The Commission notes that ML/FT risks are increasing due to the lack of traceability of these assets. The proposal intends to address this gap by following Recommendation 16 (Travel Rule) of the FATF. Going forward, CryptoAsset Service Providers ('CASPs') must supplement crypto-asset transfers with information on the sender and beneficiary. This information must be fully shared with its counterpart in the transaction and be readily available in case of requests from competent authorities.

The Regulation requires that, for transfers of crypto-assets, identifiable information must be held on the originator (for example name, address and place and date of birth) and the beneficiary (name and account number) of the transfer. The CASP of the originator needs to verify the accuracy of the information on the originator using an independent reliable source before executing the transfer. The CASP will not be able to execute any transfer of crypto assets until this information has been obtained. This requirement seeks to ensure effective and full traceability of crypto transfers.

The Regulation requires the CASP of the beneficiary to verify the accuracy of the information on the beneficiary using an independent reliable source, before making the crypto-assets available to the beneficiary (for transfers exceeding €1,000, either single or linked). For transfer values below €1,000, the CASP must verify beneficiary information when payment is made in cash, via anonymous electronic money, or where the CASP has reasonable grounds for suspecting ML/FT.

In cases where the information outlined above is incomplete or missing, the CASP of the beneficiary will be required to make a risk-based determination regarding whether to execute or reject a transfer of crypto-assets. The CASP of the beneficiary will be required to report failures to verify accurate information.


The Commission's plan is extensive, ambitious and seeks to completely overhaul the existing AML/CFT legislative framework in a manner that is substantial when compared to its predecessors. The proposals acknowledge that the cross-border nature of ML/FT requires a coherent and consistent approach across MS, based on a single set of rules in the form of a single rulebook. Seeing as the present proposal does not adopt a maximum harmonisation approach, several cross-border loopholes were present throughout the Union, exposing the financial system to risks.

Shifting the form of AML/CFT rules to a Regulation, with more detail than at present in the EU Directive, will promote convergence of application of AML/CFT measures across MS. Such will be based upon a consistent framework against which AMLA will be able to monitor the application of such rules in its function as a direct supervisor of certain obliged entities.

This being said, the application of a risk-based approach remains fundamental to the nature of the EU's AML/CFT regime. In areas where specific national risks justify it, MS remain free to introduce rules going beyond those laid out in the present proposal. It can be argued that the notion of the risk-based approach may defeat the purpose of having a set of harmonised rules, however, it is anticipated that the application of a risk-based approach will be closely monitored by national supervisors and the AMLA.

The plan to establish a separate, well-resourced EU supervisor promises to increase consistency, uniformity, standards, and degree of AML/CFT supervision across the bloc. AMLA will work toward ensuring that national supervisors apply the single rulebook is applied in a consistent manner.

Nonetheless, obliged entities and FIU may encounter potential compliance challenges such as a lack of cooperation among competent authorities, both at a domestic and cross-border level, creating loopholes that can be misused by criminals. Additionally, these proposals may come into conflict with other key pieces of legislation namely data privacy acts. Obliged entities will be faced with the improbable challenge of complying with conflicting regulations, whereas AML/CFT requires the processing of personal data, data protection regulations restrict such.

In conclusion, providing a harmonised approach to key areas such as the CDD process, identification of beneficial ownership, reporting procedures as well providing clearer rules for AML/CFT risk management, improving cooperation among authorities, the interconnectivity of bank account registers, the traceability of crypto-assets and increased scope of obliged entities, superseded by consistent application by competent authorities and regulators is highly likely to reduce the cross-border element of financial crime.

The final texts of the legislative proposals are subject to change and refinement, as other EU bodies and stakeholders provide feedback. Therefore, MS, national regulators and obliged entities are strongly encouraged to closely monitor the developments in this space.


1. COM/2021/420 final

2. COM/2021/423 final

3. COM/2021/421 final

4. COM/2021/422 final

5. https://www.nytimes.com/2019/02/20/business/danske-bank-estonia-money-laundering.html

6. https://www.fca.org.uk/news/press-releases/fca-fines-deutsche-bank-163-million-anti-money-laundering-controls-failure

7. https://www.govinfo.gov/content/pkg/FR-2018-02-16/pdf/2018-03214.pdf

8. The Court of Justice of the European Union ruling delivered on 22nd November 2022 on access to beneficial ownership registers is unlikely to impact transparency in practice, as member states, supervisory authorities and obliged entities will retain their access – only the general public are hereby restricted from unfettered access to beneficial ownership registers.

Originally published by ICC FraudNet Global Annual Report 2023 on 07 July, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.