- Security TWENTY
- Women in Security
Since January 10, the European Union’s fifth Anti-Money Laundering Directive (5AMLD), a legislation with the aim to strengthen the barriers in the battle against money laundering and terrorist financing, has been in effect. However, as with other EU directives, actual implementation varies widely and no enforcement actions have occurred to date, writes Zac Cohen, pictured, COO of the identity verification company Trulioo.
Having said that, for obliged entities operating in the EU (or the UK) ignoring the directive is not an option. It’s just a matter of time before compliance is mandatory and risking fines and reputational damage is an unnecessary risk. For example, Austria cryptocurrency-related businesses that fail to register face fines of 200,000 euros. In the Czech Republic, these fines might be in the region of 500,000 euros, although that exact figure is not law yet.
Put simply the time for organisations to ensure compliance is now.
A balancing act for businesses
When approaching 5AMLD, it’s important for business leaders to understand that 5AMLD doesn’t exist in isolation; there are many other regulations that need consideration and coordination. For instance, GDPR (General Data Protection Regulation) upholds strict privacy and data protection measures while PSD2 (Payment Service Directive) requires careful handling of payment information. If that balancing act wasn’t enough, there are factors within each of the separate legislations that contradict each other because not only is each piece of legislation relatively new, but they also have different goals and a lack of consideration for the other requirements.
To help put an end to corruption and financial crime, one of the most important steps governments can take is to ensure that effective beneficial ownership transparency rules and procedures are in place. Conversely, data privacy is a critically important topic, not only because of the risks incurred by sub-standard security or legal non-compliance, but because an individual’s digital identity is increasingly the benchmark of their existence. All of this begs the question; ‘how can organisations protect privacy while simultaneously ensuring transparency?’
What is crystal clear is that organisations need to collect enough information to perform anti-money laundering (AML) checks. At the same time, they must make sure the proper consent to acquire that information is granted and that the information is handled effectively throughout the process. Throw in other factors like an organisation’s desire to maximise data collection in order to fight fraud, better spot patterns of money laundering and improve their customer knowledge, and the situation becomes incredibly tangled. It almost seems as though GDPR and 5AMLD are working against each other as two conflicting regulations.
Fines and sanctions for AML lapses are well known and considerable, while actions under GDPR are still the exception; so should organisations really have to choose which to prioritise?
A clear set of rules
Ironically, one of the goals of 5AMLD is to achieve regulatory homogenisation. This is because, for entities that operate cross-border, dealing with multiple regulatory sets and agencies has traditionally meant significant additional costs, substantial compliance risks and results that were not effective in any case. Consider that in the EU, banks spend around $20 billion on compliance per year and, according to Rob Wainwright, former director of Europol, “professional money launderers are running billions of illegal drugs and other criminal profits through the banking system with a 99 per cent success rate.”
But the picture isn’t completely bleak. While the level of desired homogenisation is not there yet, 5AMLD has provided some measure of clarity. For instance, cryptocurrencies, which previously had no clear legal standing, are now considered “obliged entities” and face the same requirements as financial institutions. These requirements include AML, customer due diligence, transaction monitoring and suspicious activity reports.
The legislation also establishes a new interconnected network of national bank-account and transaction registers; bans anonymous safe-deposit boxes, and increases the due diligence required for business relationships or transactions involving high-risk third countries. It has also brought forth the concept of company registers to improve transparency for beneficial ownership. There are now specific dates for having these registers and interconnecting them with the European central platform. In addition, a formalised process to obtain, record and update the beneficial ownership information required for the register has also been mooted.
Why ID verification
Customer security and rigorous AML compliance are shaping up to be an amalgam of better systems, stricter procedures and a multi-layered safety approach to payments. At the core of this is the need for effective identity verification. After all, if you don’t know who you are doing business with, the risks for transacting with criminals, terrorists and corrupt individuals increase.
For companies that already have strong compliance programs in place, 5AMLD might bring some questions, but any scrutiny can be met with confidence that the right considerations were made. For other companies, creating a robust program now will not only serve for the short term, but set up the organisation to thrive as regulations continue to evolve and requirements become ever more demanding.
The fines and penalties for firms that fail to adequately protect customers are steep, and the loss of trust in the event of a breach is a cost no one wants to calculate.