On 19 June 2024, the European Parliament and Council published the new anti-money laundering and countering the financing of terrorism (“AML/CFT”) package – an extensive reformative legislative package – that consists of three main legal texts:
- Regulation (EU) 2024/1624 of 31 May 2024 aimed at preventing money laundering and terrorist financing (“ML/TF”), commonly known as the EU AML Single Rulebook (“AMLR”). This regulation will come into effect on 10 July 2027, except for specific new obliged entities, for whom it will apply from 10 July 2029.
- Directive (EU) 2024/1640 of 31 May 2024 concerning mechanisms to prevent financial system abuse for ML/TF (“AMLD6”). This directive will be applicable as of 10 July 2027.
- Regulation (EU) 2024/1620 of 31 May 2024 establishing the authority for AML/CFT (“AMLAR”) in the EU. This regulation will take effect from 1 July 2025. However, specific provisions will apply earlier, on 26 June 2024, and 31 December 2025.
Critiques of the previous AML/CFT framework
This AML/CFT package, aimed at strengthening and harmonizing the AML/CFT rules in the EU follows substantial progress in combating ML/TF related issues. It tackles key challenges encountered in enforcing previous legal instruments, such as:
- the diverse implementation made it challenging to enforce consistent AML/CFT-related measures across all EU Member States;
- the enforcement instruments available were insufficient to detect and penalize illicit financial activities effectively. This hindered the framework’s ability to deter criminals;
- inconsistent AML/CFT supervision across EU Member States made it difficult for EU financial intelligence units (“FIUs”) to cooperate due to a lack of a unified AML/CFT framework across the union.
Strengthening the AML/CFT measures in the EU
The main objectives of this package are threefold:
- It addresses systemic weaknesses and closes loopholes that criminals exploit to launder illicit proceeds or finance terrorist activities within the financial system.
- It harmonizes the AML/CFT legal framework across the EU Member States through a single rulebook.
- It establishes a decentralized EU regulatory body called the EU AML/CFT Authority (“AMLA”) to ensure consistent implementation of the AML/CFT rules and coordination among national authorities.
The Package’s key components: an overview
1. AMLR – The EU AML Single Rulebook
The AMLR expands the previous AML/CFT framework and introduces several important provisions that exhaustively reinforce AML/CFT-related measures across the EU. These provisions include on:
- the scope of application on obliged entities,
- internal policies, controls, and procedures of obliged entities,
- customer due diligence (“CDD”),
- beneficial ownership transparency,
- reporting obligations,
- Information sharing,
- data protection and record-retention, and
- measures to mitigate risks deriving from anonymous instruments.
Extended scope of obliged entities
The scope of entities that are subject to AML/CFT requirements, referred to as the ‘obliged entities’, is extended. Despite certain exemptions, the following entities are now within the AMLR’s ambit:
- crypto-asset service providers (“CASPs”) that amount to a value of at least EUR 1,000;
- traders involved in high-value goods trading such as jewelry, luxury watches, precious metals and stones, aircraft, motor vehicles, watercraft, art crafts, and others;
- professional football clubs in certain transactions, and football agents. Member States may exempt smaller clubs if they can demonstrate low risk, for example, those with a turnover of less than EUR 5 million in the last 2 years;
- gambling service providers with certain exemptions.
Internal policies, procedures, and controls
In scope entities must establish internal policies, procedures, and controls to reduce their exposure to the risk of ML/TF. The management of the obliged entity has to appoint (i) a designated ‘compliance officer’, and (ii) a board member, known as the ‘compliance manager’ – both globally responsible for ensuring adherence to the AML/CFT rules as defined in the AMLR.
Reinforcement of CDD: simplified or enhanced
The AMLR reinforces the CDD requirements while introducing tightened specific detailed measures concerning cases where obliged entities must exceed simplified due diligence and perform enhanced due diligence (“EDD”) such as:
- cross-border correspondent relationships for CASPs;
- financial and credit institutions dealing with high-net wealth individuals, exceeding €50 million and assets under management exceeding €5 million;
- occasional transactions and business relationships involving high-risk third countries, based on a risk assessment aligned with the FATF lists.
EU-wide limit for cash payments
In-scope entities must follow the new EUR 10,000 cash payment limit. Member States have the flexibility to set a lower maximum if needed due to specific national risks, subject to a three-month notification. Customers are required to be identified and beneficial owners verified in occasional cash transactions of at least EUR 3,000.
Consolidating and reinforcing beneficial ownership transparency
In scope entities must implement a streamlined beneficial ownership transparency to customers and counterparties. The concept of beneficial ownership remains the same, but a clearer framework has been established for identifying individuals who ultimately own or control legal entities, as well as multi-layered or complex ownership structures.
The threshold for ownership interest, shares, or voting rights is set at 25 percent or more. Member States should use a risk-based approach for categories of entities with high-risk to ML/TF. They can propose a threshold of no more than 15 percent to the EU Commission. However, the EU Commission has the authority to set a higher threshold based on risk, as long as it is lower than 25 percent.
In cases of medium-high risk to ML/TF, if the relevant entity is based outside the EU, it must register its beneficial ownership in the central register (in Luxembourg, currently the registre des bénéficiaires économiques, "RBE") before establishing a business relationship with an in-scope entity in the relevant EU Member State.
Furthermore, stricter requirements have been set for reporting discrepancies in beneficial ownership registers.
Provisions on data protection and record retention have been revised to allow competent authorities access to information on beneficial ownership held by in scope entities.
Additional potential countermeasures and "high-risk third countries"
Obliged entities shall be required to apply EDD measures to occasional transactions and business relationships involving third countries deemed high-risk. Either the obliged entities or the EU Member States, if the high-level risk justifies it, may adopt additional countermeasures, to protect the union’s financial environment from potential ML/TF risks. If Member States adopt further countermeasures, they shall notify the EU Commission thereof who may cause such measures to be revoked if they are deemed unnecessary.
2. AMLD6
The AMLD6 widens the regulatory scope of ML offenses, clarifies definitions related to those offenses and their perpetrators, and enforces stricter penalties across Member States. It covers provisions that could not be included in the AMLR: (ii) Registers, (iii) FIUs, (iv) AML Supervisions, (v) Cooperation, (vi) Data Protection. The following summarizes the key aspects of the AMLD6.
Central registers of beneficial ownership
AMLD6 provides for robust rules regarding beneficial ownership information and their recording in Central Registers. The central register contains information about the beneficial ownership of legal entities and legal arrangements, as well as details about nominee arrangements and foreign legal entities (in Luxembourg, currently the RBE). This information must be accurate, up-to-date, and verified. It should be retained for at least 5 years, with an additional 5-year period in the case of a criminal investigation under Article 10.
Furthermore, those registers are reliable databases for beneficial ownership information. They cross-check the data with financial sanctions and ensure, within a reasonable time, that the submitted information is accurate and consistent. If there are any issues, registration can be withheld. In case of uncertainty, authorities have the right to conduct on-site inspections.
Access to the registers is granted to FIUs, other competent authorities, self-regulatory bodies, and obliged entities free of charge and in digital form. Public access is conditional and granted to persons with a legitimate interest, e.g., the press.
National AML supervision, central account registers and FIUs
AMLD6 aims to enhance collaboration between FIUs and other competent authorities, i.e., AMLA, Europol, Eurojust, and the European Public Prosecutor’s Office. By fostering reciprocal cooperation and information exchange, AMLD6 seeks to improve the efficiency in addressing complex or cross-border financial crime cases. The directive also provides FIUs with increased capabilities to better detect and track cases of ML/TF.
Moreover, AMLD6 improves the organisation of national AML/CFT-systems by exhaustively outlining mutual cooperation between FIUs and supervisors. In this regard, the obliged entities will be supervised using a risk-based approach by separate national supervisors. These supervisors have the authority and obligation to conduct essential off-site, on-site, and thematic checks, as well as any other necessary inquiries and assessments, pursuant to Article 40. Additionally, they are expected to collaborate with each other and with the FIUs.
A single central register (in Luxembourg, the Central Register of Bank Accounts, CRBA) will further contain information about accounts identified by International Bank Account Numbers (“IBANs”), including virtual IBANs, securities accounts, and CASPs accounts. The central account registers in Member States will be interconnected to enable efficient exchange of information with FIUs.
Statistical reporting, supervisory colleges and regulatory technical standards:
Member States are required to maintain and publish AML/CTF statistics to review effectiveness.
AMLD6 imposes a requirement on Member States to establish supervisory colleges in both financial and non-financial sectors within the union, as well as with counterparts in third countries. In this regard, AMLA will issue guidelines that should be subsequently incorporated into legal frameworks by Member States.
3. AMLA
AMLA is the new decentralized body of the EU, to be based in Frankfurt am Main, Germany, and to be fully operational by Summer 2025.
AMLA’s purpose is to tone-up the AML/CFT framework, ensure high-quality supervision, promote harmonization, and facilitate information exchange among FIUs and other competent authorities within the union. Its function is twofold:
- Supervision
- AMLA combines both direct and indirect supervisory competences over financial entities. AMLA directly supervises ML/TF high-risk entities, including CASPs. It also indirectly supervises other financial entities by collaborating with national financial supervisors. In the non-financial sector, AMLA mainly coordinates with national supervisors and promotes their supervisory alignment.
- Harmonization and coordination
- AMLA is required to follow a standardized supervisory methodology. Given the cross-border nature of ML/TF, AMLA will create an integrated mechanism with national supervisors to ensure in-scope entities comply with AML/CFT-related obligations in the financial sector. While supporting those in the non-financial sector. It will issue guidelines, recommendations, and opinions to promote consistency among those supervisors.
Additionally, AMLA is mandated to create and maintain a central AML/CTF database of information to facilitate AML supervisory activities.
AMLA is entrusted to support and coordinate between FIUs. This involves, amongst other actions, participating in joint ML/TF analysis and managing the FIU's information exchange system (FIU.net).
Luxembourg: horizons ahead
The primary legal AML/CFT instruments in Luxembourg consist of the law of 12 November 2004, as amended ("AML Law"), the Grand-Ducal Regulation of 1 February 2010, as amended, and the law of 13 January 2019 related to the RBE. The AML Law is supported by various AML/CFT circulars and guidelines issued by national competent authorities, e.g., the CSSF.
The AML/CFT framework in Luxembourg is heavily influenced by the EU harmonization efforts. Additionally, as a member of the OECD and a jurisdiction within the FATF, Luxembourg, like any other EU Member State, is expected to comply with the new EU AML/CFT package and by adjusting its relevant legal framework according to the provisions of the AMLR and the AMLD6 within three years, and the AMLAR within one year.
