Three compliance experts - Samantha Sheen from Canada, Barbara Friedrich from Germany and Carole de Gaulle from France, were joined by Brian Dilley of Lloyds Banking Group on a panel at the ACAMS conference. They discussed the European Union's latest anti-money-laundering legislation in some depth, pointing out its novelties.

Barbara Friedrich concentrated on the provisions that called for the identification of beneficial owners. She listed some reasons why it might be useful for a money-laundering reporting officer to identify them. These were:

• the need to understand legal structures;
• the need to rule out shell companies (i.e. companies with no physical presence);
• the fact that bearer-shares sometimes make it difficult for MLROs to know that criminals are not using a corporation; and
• the revision of the Financial Action Task Force's 40+ recommendations that calls on countries to make it compulsory.

She explained that the directive brought in a slightly new definition of 'beneficial owner,' going from a two-step approach to a three-step approach. These 'steps,' which are actually kinds of beneficial owner, are as follows.

1. The person on whose behalf the business relationship is established or the transaction is performed. This happens, for example, when an account is held for the benefit of a child.

2. The ultimate beneficial owner of a legal person. This can be the legal owner or shareholder, which for the purposes of the directive is anyone with 25% plus one vote. Friedrich said that EU member-states had traditionally interpreted this in different ways, although it is hard to imagine how. There is no change here: the EU's objective remains the discovery of the "natural person behind the legal person."

Friedrich commented that it was possible, of course, for shareholders to act in unison and for one person with a holding lower than 25% to gain control through other means. She thought that MLROs should watch out for evidence of 'shareholder agreements' or even voting rights that skewed people's control over companies. Clandestine agreements by which shareholders agree to vote at the behest of others are hard to detect but, she thought, such control might manifest itself through more publicly available indicators such as 'golden share' agreements or evidence that someone has control over the preparation of financial statements (and also, in her terminology, 'pre-financial statements') or even financing structues and family relations that might betray the fact that "someone is sitting at the back."

3. Senior management officials. This represents the new part or the 'third step' of the EU's definition. These can be 'placeholders' or the "legal representatives of legal persons." Friedrich added that she thought that the French already had this third part of the definition. She told the tale of a German bank and a French bank vying for business, with the German bank having to step down because it had not conducted this vital piece of 'customer due diligence.'

Adding rather fatalistically, "you can always put somebody in the front," Friedrich said that under article 13 of the fourth directive the identification process remains the same as under the third: "You still only have to take 'reasonable measures' to verify the beneficial owner's identity, whereas with the customer you have to identify him definitely. So how many layers of ownership do you have to look at? Every country has its own interpretation and this could lead to some friction." This, almost certainly, was a reference to regulatory arbitrage.

Under article 30(1) it is to be the responsibility of the company in question to hold up-to-date beneficial ownership information that is must provide to the authorities or to 'obliged entities' (i.e. reporting entities such as financial institutions). This rule first saw the light of day in FATF recommendation 24 (IN par 8) in the revamp of the FATF rules in February 2012.

Beneficial ownership registers

The directive's other novelty is, of course, the requirement for every country to set up a register of the beneficial owners of companies incorporated within its borders. This, as readers know, was something of a last-minute addition and stemmed from the UK's initiative at the Loch Erne meeting of the 'Group of 8' industrialised nations in 2013.

Friedrich listed three things that ought to be happening in every EU country.

1. Competent authorities and financial intelligence units ought to be able to see the register without qualification. This should be done in a way that does not 'tip off' criminals about any investigations that are underway. The contents of the register should also be subject to international information exchange. Friedrich asked the MLROs: "what will YOU access in the register?"

2. Obliged entities should be able to access the register "within the framework of CDD." Customer due diligence is an ugly term that the EU borrowed long ago from the Basel Committee for Banking Supervision. The directive says: "One cannot rely exclusively on data in the beneficial ownership register." This disappointed many MLROs when it first appeared. Friedrich said that they therefore had to use additional information such as that collected through the lifetime of the business relationship in question. She stressed the need to be on the lookout for "handshakes between shareholders leading to control by other means," adding that "what you do every day in your business relationship with your client is you see things - it's true to say that banks know more than governments."

3. The register should also be open to anybody who can demonstrate a legitimate interest. People in this category should only be allowed restricted access. Investigative journalists are in this bracket and every country should be obliged to allow them to see this-or-that individual's name, month and year (but not date) of birth, nationality and country of residence.

International co-operation

The directive states: "Competent authorities and FIUs shall be able to exchange information in the register." The European Commission is going to produce a report in 2019 for the purpose of deciding whether to link the registers up.

Politically exposed persons: what's new?

Carole de Gaulle told the audience that the directive expanded the EU's definition of politically exposed persons or PEPs to include domestic PEPs. Likewise, she said, article 3(9)(c) brings the senior managers of political parties into the fold, with article 3(9)(h) doing the same for 'international organisations. Meanwhile, article 20(a) obliges banks for the first time to identify beneficial owners as PEPs if that it what they are.

There is one obvious snag here: EU law does not define 'political parties' and the directive does not help either. This means that either banks must take people at their word when they say whether or not they are in political parties or they have to look at the term as expressed in the law of the country in question. De Gaulle even wondered whether it would be best for each bank to come up with its own definition of the phrase and stick to that in all cases. She added that "financial institutions will struggle" with all these onerous new requirements.

Contagion of PEP standards

Once a bank identifies a PEP, there is a danger that the directive's wide and fuzzy PEP rules will overflow into other areas of its business. The basic three rules of the third directive are still present in the new one, enshrined in article 20(b), which says that the financial institution must:

• obtain senior management 'sign-off' for a business relationship with the PEP;
• establish the source of his wealth and his funds; and
• conduct "enhanced, ongoing monitoring" throughout the relationship.

Several questions remain unanswered. If the beneficial owner is a PEP, should the company become a PEP as well? If so, what extra due diligence or EDD measures should apply to the customer?

De Gaulle thought that the company should not be a PEP in these circumstances but added: "but no argument can be put forth against this in MLD IV." She thought that if something she called 'formal contagion' were to happen, the customer would also qualify as a PEP and his family and close associates would also be covered. If he did not qualify, he would just be a high-risk customer and 'informal contagion,' which was preferable, would take place.

De Gaulle added: "The scope of the risk-based approach is obscure in MLD IV. EDD measures under article 20 seems to be mandatory, so they are stricter than the FATF's!"

Simplified due diligence

Brian Dilley then took the floor, claiming that the new directive heralded a fundamental change in 'simplified (watered-down) due diligence' that people had not noticed. The third directive says that EU member-states may tell their financial institutions to apply SDD to listed companies, regulated entities, pooled accounts and various public authorities if they think of them as 'low risk.' Article 13 of the new directive, however, says that wherever a member-state or obliged entity identifies areas of lower risk, the member-state may allow obliged entities to apply SDD measures but before applying SDD measures, obliged entities must ascertain that the customer relationship or transaction presents a lower degree of risk. This wording is different and Dilley concluded: "So SDD measures are no longer an exemption." He was basically making the point that an assessment of low risk must now be made in every instance and the 'blanket exemptions' of today are to go.

With enhanced/extra due diligence or EDD, Dilley said that there were a couple of subtle changes. The directive points at two highly risky areas:

• correspondent banks (the previous directive said 'banking'); and
• PEPs including domestic PEPs.

The European Supervisory Authorities (the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority) drew up some guidelines on the subject and began to consult interested parties about them last October. The finalised guidelines have yet to appear, although proposed guideline 149 states unequivocally: "Simplified due diligence is not appropriate in a wealth management context."

Assuming that this nugget of wisdom does not end up being official EU policy, how should wealth managers apply SDD? Dilley looked at the proposed guidelines for clues and came up with several points.

• The MLRO may apply SDD when the risk that money will be laundered is low.
• At least some checking has to take place. The paper issued by the trio of super-regulators states that the compliance function should "not defer CDD or delay obtaining relevant information about the customer where applicable legislation, for example the AML regulation or provisions in national legislation, does not permit this." SDD, then, is not an exemption from the CDD measures.
• SDD can take place, according to the paper, "when trigger events occur such as the customer looking to take out a new product or service or when a certain transaction threshold is reached; firms must make sure that this does not result in a de facto exemption from keeping CDD information up-to-date."

Dilley thought that all this was helpful, adding that "on EDD the proposed guidance and requirements aren't different really." He quoted from the paper again, saying that the European super-regulators thought that every firm should verify the source of wealth and the source of funds on the basis of reliable and independent data, documents or information whenever the risk associated with the PEP relationship is particularly high. This, he thought, was another subtle but worthwhile development because it recognised, perhaps for the first time in EU literature, the fact that some PEPs pose a higher risk than others.

Correspondent banking

Dilley thought that there were some suggestions that the Eurocrats did not mean exactly what they said when they condemned 'correspondent banks' and not 'correspondent banking' as dangerous. Chapter 1 of the paper contains sectoral guidelines for correspondent banks and starts off with lists of high and low correspondent risk factors that pertain to products, services, transactions and customers. The following factors may indicate higher risk.

• The account can be used by other respondent banks that have a direct relationship with the respondent, but not with the correspondent (‘nesting’ or downstream correspondent banking).
• The account can be used by other entities within the respondent’s group that have not themselves been subject to the correspondent’s 'due diligence.'
• The service includes the opening of a payable-through account, which allows the respondent’s customers to carry out transactions directly on the account of the respondent.

The plan that did not work

The UK's beneficial ownership register, on which premier David Cameron spent so much political capital, is up and running but not accessible to the public or even to financial institutions. Dilley lamented this, saying that this was going to hamper the regulated community's 'due diligence' efforts. He added that the Channel Islands' registers were going to suffer from the same problem. Some say that the reason for this is not technical problems with software but worries over the quality of the data, but nothing is known for sure.