An Update on the EU’s AML Regulatory Package

On 20 July 2021, the EU Commission put forward an ambitious new AML (anti-money laundering) package which consists of three new Regulations and a Directive to strengthen the current EU AML/CTF (counter-terrorist financing) regime. The proposals aim to bring about a more consistent and harmonised approach across the EU. This will have major impacts on firms through actions like changes to outsourcing, customer due diligence (CDD), and beneficial ownership.

The Package is currently being scrutinised and amended by the European Parliament with the intention to release the updated draft proposal to the European Council in February 2022 for consideration. This will then be released under consultation to the regulated sector in Europe—a vital process which allows not only member states but also firms within those member states to comment on and potentially shape the money laundering regime across the whole EU.

Outsourcing Arrangements

A key area outlined by the proposals involves prohibitions around outsourcing arrangements. The proposals introduce specific prohibitions on activities that must not be outsourced, such as:

  • the financial crime internal audit function
  • the development, drawing up, and approval of internal policies, controls, and procedures.

Outsourcing an internal audit function is by definition contradictory, so it is understandable that this may become a prohibited outsourced function. After all, internal audits are the third line of defence (3LoD) and a firm must be in control of all its lines of defence to learn from the findings of its own internal audits.

However, the intended benefit of prohibiting the outsourcing of policy and procedure authoring is not entirely clear. It has long been argued that if a company doesn’t write their own policies, they can’t truly understand and operate by them. This can expose them to greater legal, operational, and regulatory risks due to inadequate policies and procedures or compliance failures because their policies were not written with the unique products and services of the company in mind. Nevertheless, this largely depends on how a company interacts with its outsourced provider.

Outsourcing policy- and procedure-writing is understandable when a firm pays a small sum to buy an off the shelf policy designed for a bank, for example, and all that is allegedly required for this to become the company’s policy is for them to insert its name where indicated. However, engaging a professional outsourced provider should work as an extension to the company’s own department – obtaining a temporary expert resource because a company’s workloads, budgets, or a combination of both do not stretch far enough to allow for this level of work to be undertaken in-house.

Example: Good Practice

SA professional outsourced firm will help a company in the authoring of its policies, for example, whilst ensuring that the company is fully immersed in the process. This is because the company, not the outsourcer, is the firm responsible for working to the requirements of the policy and explaining both the policy content and the decision- and thought-making process behind it if questioned by a regulator.

It is hoped that staff within frequently overworked financial crime departments will not be prohibited from seeking essential assistance from external firms when they need it. Such a predicament will leave firms torn between two options:

  1. breach the prohibition and face the consequences of that breach
  2. allow their company to operate under out of date or inadequate policies and prepare for the consequences if subject to a regulatory visit or inspection.

CDD Controls

Another key area in the proposals is the proposed changes to CDD controls. The changes propose a due diligence that is focused on a 5-year review and includes elements such as information on the transactions associated with a business relationship—including a transaction’s value (or estimated value), its intended destination, and the economic rationale of the transaction.

This kind of information has always formed part of an intelligence led CDD/customer risk assessment, usually under a title of the “does it make sense” test. However, if specific items such as this and time frame for when such must be reviewed within is introduced, then this could remove a company’s ability to apply a risk-based approach for itself. The proposal raises the question: will EU-based financial services companies now have to undertake CDD reviews in a prescribed manner and timeframe, irrespective of the risk presented? If this is the intention, further detail will be required for every circumstance under which a company may find itself engaging with a customer, and what type and level of documentation will be required to satisfy the requirements and retain safe harbour from regulatory scrutiny.

Moreover, the five-year requirement for CDD controls also contradicts the proposed guidance on beneficial ownership information. The proposal suggests these should be updated annually; these timeframes must be refined to remove any uncertainty.

Beneficial Ownership

Under the new package, firms will have to maintain adequate and current information on the identity of their customer’s beneficial owner (BO). The proposals contend that relevant information must be obtained within 14 calendar days of any change of BO and from the creation of any entity or legal arrangement. However, it is unclear at present whether the 14 days begin once the obliged entity has been informed, or once the change in the BO occurs. In the case of the latter, this would be costly for companies and produce even more work for them, especially if they are unable to use the services of outsourcers for tasks like annual policy updates and rewrites.

Further, the ability to hold such information within a 14-day period will mean companies have to place a huge reliance on customer speed and co-operation in order to remain compliant with this requirement. Even with the best of intentions, such speed and co-operation will not always be forthcoming. This begs the question: how can a regulated company be found in breach of a regulatory requirement due to the action or inaction of a non-regulated company?

It is clear that the Package is intended to create a harmonised EU framework on AML/CTF which, if attainable, will be of great benefit to all financial institutions. However, the proposed changes need to be able to work for everyone if the real benefit is to be felt. Once the updated proposals are released this should provide more clarity on how the proposed changes will impact companies – let’s hope the impact is a positive one!

Anti-Financial Crime Support – How can Complyport Help?

Our experienced Financial Crime and Forensics team led by Martin Schofield—one of the world’s leading specialists in the field—brings a wealth of experience to every project we are engaged in. Our highly experienced financial crime professionals and forensic experts, in subjects such as anti-money laundering, counter terrorist financing, anti-bribery and corruption and fraud and regularly help our clients navigate the complexities of the financial crime and money laundering environment. Services offered by Complyport include:

  • Financial crime health checks and audits,
  • Implementation of financial crime, AML, CTF, ABC, Fraud and market abuse controls and frameworks,
  • Ongoing advice on financial crime, AML, CTF, market abuse and fraud prevention,
  • Authoring/reviewing financial crime policies,
  • Outsourced MLRO support
  • Outsourced KYC and CDD support,
  • Assistance in identifying Politically Exposed Persons (PEPs),
  • Assistance in navigating international sanctions,
  • Support with preventing market abuse and insider dealing,
  • Expert Witness in Financial Crime cases
  • Forensics and Investigations
  • Design and/or delivery of online or face to face financial crime training

If this article has raised any questions, or you think your firm may require assistance, please contact either Martin Schofield via or Jan Hagen via to book in a free consultation.

About Complyport

Complyport is the City’s market leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.

We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.

Complyport’s multidisciplinary consultants possess deep expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.

Day to day, we conduct audits and reviews of a firm’s products, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.

COntact us for assistance

Please fill our free consultation form and a member of our team will get in contact with you.