Ref. Ares(2017)5393166 - 06/11/2017
Commission services non-paper
Supranational Risk Assessment in the Fourth Anti-Money Laundering Directive
1. Introduction
In their comments on the Commission's proposal, some Member States have expressed a
desire for greater harmonisation of the EU risk assessment and for a more prominent role of
the Commission in the process. In their view, consideration should be taken of the role of
other competent authorities (Financial Intelligence Units (FIUs), Europol, law enforcement
authorities), and of risks beyond the financial sector.
This paper considers how an EU supranational identification and assessment of risks could be
organised and addresses the issue of mitigating measures for the identified risks.
2. FATF Recommendations
Interpretative Note 1 (“INR1”) of the FATF 40 Recommendations sets out the measures
Member States should take in order to identify and assess the money laundering and terrorist
financing risks for a country. FATF has acknowledged that where appropriate, this can be
done at supranational level.
3. Commission's proposal
The Commission’s proposal for the
4th Anti-Money Laundering Directive (“4AMLD”) contains rules on risk assessments consistent with the FATF standard:
Article 6 requires the Anti-Money Laundering Committee ("AMLC") of the European
Supervisory Authorities ("ESAs") to provide a joint opinion on the money laundering and
terrorist financing risks affecting the internal market, and for the Commission to make that
opinion available to Member States and obliged entities;
Article 7(1) requires each Member State to take appropriate steps to identify, assess,
understand and mitigate the money laundering and terrorist financing risks affecting it,
and to keep the assessment up to date.
Articles 15 and 16(4) require ESAs to issue guidelines on the risk factors to be
considered and the measures to be taken in situations where simplified and enhanced
customer due diligence are appropriate.
Article 45 (10) requires ESAs to issue guidelines on the factors to be applied when
conducting supervision on a risk-sensitive basis.
4. Need for a supranational approach
The need for a supranational approach to risk assessment arises when risks are identified
which go beyond the specificities of national jurisdictions and share certain commonalities
1
with a number of Member States. Such commonalities may be especially prevalent in the EU
given its integrated and borderless nature.
5. Nature of the risk assessment
Over the course of negotiations, some Member States (Germany, France and Italy in
particular) have called for greater coordination and involvement of the Commission in an EU-
wide assessment process, and for the Commission to be tasked with identifying certain high-
risk scenarios affecting different sectors in the EU and providing more detail on the measures
that should be taken to mitigate such risks.
The identification of threats and the estimation of risk is a complex exercise, which requires
technical expertise and skill. The assessment of EU AML risk will need to be based on
objective data collected from Member States and other entities participating in the process.
Threats and hazards must first be identified, as well as the persons exposed to each hazard; it
will also need to be assessed how the hazard will affect the exposed parties. Risk estimation
will then need to be performed in order to produce (quantitative) measures of risk. On the
basis of such an assessment, mitigating measures may need to be designed to address the
identified threat.
In line with the ever-changing nature of risks, the risk assessment will need to be a continuing
and evolving process, completed over time as more evidence is gathered with respect to EU
level risk.
6. Scope of the risk assessment
One major practical difficulty associated with carrying out an AML risk assessment at EU
level could prove to be its potentially broad-ranging scope. Given that money laundering and
terrorist financing risks extend beyond the financial sector into a variety of non-financial
sectors (lawyers, accountants, estate agents, gambling, etc.), a broad risk assessment would
have to address a multiplicity of different issues derived from national or sectorial risk
assessments, which may only be partially relevant in the wider EU context.
An appropriate solution to such a problem, which would also be in line with the very idea of
an assessment of supranational risks, would be to focus and restrict analysis to a well-defined
and limited number of specific, EU-level, risks.1 Member States could agree
on a number of
common risks (possibly via the EGMLTF) and agree to concentrate work on further
assessing those risks.
1 “
Due to the time constraints and the resource implications, the need to proceed in parallel with the assessment
at national level was acknowledged, as well as the need to avoid any duplication of the evaluation work at
national or FATF level. Several delegations argued in favour of identifying the main (three or four) topics of
supranational relevance on which the exercise should focus. Experts from Member States with appropriate
knowledge could then analyse such issues, acting in small dedicated teams coordinated by the Commission, with
a view to agreeing on a document which brought together the results these thematic analysis.”
2
7. Author of the Risk Assessment
Given the complexities associated with such an exercise, and the broad-ranging scope, the
drafting of a risk assessment will need to be the fruit of a joint effort between a number of
different EU bodies, and it will also be necessary to tap into resources and have access to
information and data at national level. The Commission services would be ready to take on
the role of coordination of the work and would take responsibility for drafting and publishing
the final product. This work would necessitate involvement of other relevant bodies:
7.1. EGMLTF
In light of its expertise, skill and ability to tap into national resources, the best placed to
assume a major role in carrying out the type of wider risk assessment outlined above would
appear to be the EGMLTF; it is a permanent Commission expert group composed of national
administrations, and has the capacity to draw on expertise available nationally. Its mission is
to advise the Commission on AML and terrorist financing issues and it is tasked with
assisting the Commission in the preparation of legislation or in policy definition, coordinating
the exchange of views between Member States and providing the Commission with expertise
when drafting implementing measures. Moreover, at its meeting on 10 June 2013, the
EGMLTF generally welcomed the idea of involvement in the supranational risk assessment2.
7.2. Financial sector: work carried out by the ESAs
The Commission’s proposal tasks the ESAs with providing a joint opinion on the money
laundering and terrorist financing risks affecting the internal market. The scope of that
opinion would necessarily be limited to the financial services sector, but should be based on
inputs it has received from a variety of sources via its own consultation processes. As such, it
should constitute an important element to be taken into account in the EGMLTF’s broader
risk assessment.
However, on the one hand the EGMLTF should not wait for the ESA opinion before
beginning its own work. On the other hand the EU level risk assessment should not be
delivered before the ESA opinion is available, in order to be able to take into account its
findings. The Commission services would ensure the necessary coordination between these
two workflows.
It would be necessary and expected that the ESAs engage upstream with other stakeholders to
ensure an all-encompassing assessment in the financial services area, so that by way of the
ESA opinion there will already be a certain level of input from other bodies.
7.3. Non-financial sector
EGMLTF would not work in isolation, but draw on inputs from other relevant bodies with
expertise in the field. Europol, the EU Financial Intelligence Units' Platform ("FIU
2 See Fn. 1
3
Platform"), and representatives of DNFBP sectors at EU level could all be invited to assist the
EGMLTF with the AML risk assessment. The best way to organise this would be to invite
representatives from such entities to participate in the work of the EGMLTF for a fixed term
or on an
ad hoc basis, to ensure an effective coordination and timely delivery of the inputs.
a)
Europol
Although not an operational body, Europol supports EU law enforcement authorities by
gathering, analysing and disseminating information and has substantial experience and
expertise in fighting money laundering and terrorism. It participates in both EGMLTF and
FIU Platform meetings, and publishes an annual organised crime threat assessment which
includes analysis on money laundering threats. Its analyses and other intelligence work would
be a useful addition to the EU AML risk assessment. Europol could be invited to share
information and experience it has and which would be relevant for assessing EU level risks in
the areas that will be defined; Europol experts could be invited to relevant EGMLTF
meetings.
b)
EU FIUs
FIUs are organised at the EU level through a group called the FIU Platform set up by the
Commission in 2006. The Platform’s main task is to facilitate cooperation among EU FIUs,
and meetings are chaired by the Commission services. The Platform allows EU FIUs to
exchange information, knowledge and experiences, some of which could be contributed to the
EU AML risk assessment. FIUs are well-positioned to contribute to the risk assessment
process, as they are able to take a broad view of money laundering risks, including risks
associated with DNFBPs. Work could be organised via the Platform in order to input into the
EGMLTF process; and representatives from EU FIUs could be invited to relevant EGMLTF
meetings.
c)
DNFBPs
The 4AMLD does not contain specific provisions regarding input from the DNFBPs. Various
lobby and interest organisations for the DNFBP sectors exist at EU level, but there are only a
limited number of such formally established, EU-level entities and they do not necessarily
represent all types of businesses operating within a certain sector. Partial coverage is therefore
a problem, and such organisations are also unlikely to have sufficient experience, capacity and
resources to make a valuable contribution to a risk assessment at EU level. Gathering
contributions and securing cooperation from such bodies may therefore be difficult.
However, contributions from EU-level DNFBP representative bodies which are sufficiently
well organised and willing to participate could directly feed into the process.
The decision on where to focus the EU level risk assessment will obviously have an impact on
DNFBP involvement: contributions from DNFBP sectors would be needed only to the extent
that the EU level risk assessment concerns areas in which DNFBPs are active. This would
most probably limit the difficulties mentioned above.
4
In addition it is important to keep in mind that national risk assessments pursuant to Article 7
of the 4AMLD will also have to cover DNFBP sectors and that involvement of these sectors
at national level is usually more straightforward and more representative than at EU level (a
number of the DNFBPs are organised via chambers or chartered institutes at national level
which may even have regulatory and supervisory tasks).
Therefore it would seem a reasonable approach that contributions from DNFBP sectors
should be collected at Member State level and that national experts attending the EGMLTF
would then be in a position to present the national views of any particular risks identified in
specific DNFBP sectors where relevant to the EU level risk assessment. This would simplify
and improve the risk assessment process whilst still benefitting from the input provided by
DNFBPs.
8. Possible amendments to the Directive
The Directive could make provision for the basic elements of this work. A recital could be
added to clarify how the work of the group relates to the assessment of EU AML risk as
follows:
“
The Commission, assisted by the EGMLTF should coordinate the assessment of risks at
European level associated with particular issues to be identified and should ensure that due
account is taken of the opinion delivered by the ESAs ”.
A legal provision supplementing Article 6 could be drafted as follows:
”The Commission shall take the necessary steps to coordinate work at EU level on the
identification, understanding and assessment of money laundering and terrorist financing
risks affecting the Internal Market with respect to specific cross-border phenomena and shall
draw up a report on these. The Commission shall be assisted by the Expert Group on Money
Laundering and Terrorist Financing and shall involve EUROPOL, the European FIU
Platform and other EU level bodies where appropriate.”
9. Form of the risk assessment
Once the risk assessment is carried out, the findings would have to be presented and made
available. The question is in what form this could be done.
a)
Legally binding instrument
As an expert group, the EGMLTF is not in a position to take binding decisions. The
EGMLTF's functions in the EU AML risk assessment would be to provide reports record its
findings, risk descriptions and estimations and, if appropriate, provide views and
recommendations on how these risks could be mitigated.
5
Furthermore, as the risk assessment itself is not of a regulatory nature, a document describing
the identified risks and setting out the assessment could not take the form of a delegated or
implementing act3.
For these reasons, a risk assessment could not take the form of a legally binding document.
b)
Non-legally binding instrument
There are a number of ways by which the Commission could adopt and publish a document
presenting the outcome of the risk assessment based on the work carried out in the EGMLTF.
For example it could take the form of a
Commission staff working document or a formal
Commission
Communication. A formalised Commission document would present certain
advantages: it would express an official position of the Commission on the matter and serve
as an important signal to Member States and the European Parliament. However, given the
non-binding nature of the document, Member States would be free to determine the manner in
which they consider and rely on it and its findings. It has to be kept in mind that the adoption
of a formal Commission document requires internal consultation and – as far as a
Communication is concerned – political approval by the College of Commissioners
10. Use to be made of the risk assessment
Once common risks have been identified, the obvious question is what to do about them. If
Member States feel the need to give effect to the identification and assessment of EU-level
risks, the logical consequence of the risk assessment work would be to decide on a set of
appropriate EU-wide measures to mitigate them.
For the financial sector, the Commission’s proposal4 already foresees a mechanism - in the
form of
guidelines drafted by the ESAs - on the risk factors and the measures to be taken by
the competent authorities and obliged entities. These Guidelines will be developed after
appropriate public consultation, and are designed to ensure that the provisions in the Directive
are applied in a uniform and consistent manner. Competent authorities are required to
confirm compliance with the Guidelines, or reasons for non-compliance.
Where risks identified in the risk assessment concern the non-financial sector, mitigating
measures could take the form of guidance addressed to DNFBPs and competent authorities
contained in a Commission Recommendation, on the basis of work carried out by the
EGMLTF, as described above.
3 Delegated acts are designed lay down rules to supplement or amend certain non-essential elements of a basic
act, whilst implementing acts are used to provide uniform conditions for the implementation of a basic act.
4 Articles 15, 16 and 45
6
11. Conclusion
An EU AML risk assessment would be coordinated by the Commission services and work
would be carried out by the EGMLTF, using as a basis available national risk assessments,
and with contributions from Europol, the FIU Platform and, to the extent feasible and
appropriate, various DNFBP organisations at EU level. In the financial sector, the ESAs joint
opinion would require upstream coordination with other bodies, including the private sector
input, and mitigating measures would be set out in the form of guidelines, as already foreseen
by the Directive.
The risk assessment should focus on a limited number of specific EU AML risks which are
sufficiently precise in scope, and involvement of DNFBPs would depend on the specific EU
risks identified. The main DNFBP contributions, as far as relevant for the specific risk, would
be gathered at national level and presented to the EGMLTF by the national representatives
participating in the group's work as part of input to its own assessment. Mitigating measures
would take the form, in the financial sector, of guidelines produced by ESAs (on CDD and
risk-based supervision) and in the non-financial sector could take the form of guidance issued
in the form of a Commission Recommendation.
7
Annex
JOINT PAPER FRANCE-GERMANY-ITALY
AMENDMENTS ON 4TH AMLD – 20/09/2013
Risk assessment (recital 17 and article 6)
Current draft proposal
Amendment proposed
Recital 17
Recital 17
(17) In order to better understand and mitigate (17) In order to better understand and mitigate
risks at European Union level, Member States risks at European Union level, a supranational
should share the results of their risk assessments risk assessment should be put in place in order
with each other, the Commission and EBA, to identify in an effective way the ML/TF risks
EIOPA and ESMA, where appropriate.
facing the internal market. The European level
should oblige Member States to address
effectively the scenarios that are of high risk. In
addition, Member States should share the
results of their risk assessments with each other,
the Commission and EBA, EIOPA and ESMA,
where appropriate.
Comments: in order to provide a clear interpretation of how the different levels of assessment
should have to be articulated, we propose to precise in a recital that the supranational risk
assessment should have to be effectively endorsed by MS, especially as regards high risk situations.
Current draft proposal
Amendment proposed
Article 6
Article 6
1. The European Banking Authority (hereinafter 1. The European Banking Authority (hereinafter
"EBA"), European Insurance and Occupational "EBA"), European Insurance and Occupational
Pensions Authority (hereinafter "EIOPA") and Pensions Authority (hereinafter "EIOPA") and
European Securities and Markets Authority European Securities and Markets Authority
(hereinafter "ESMA") shall provide a joint (hereinafter "ESMA") shall provide a joint
opinion on the money laundering and terrorist opinion on the money laundering and terrorist
financing risks affecting the internal market.
financing risks affecting the internal market.
The opinion shall be provided within 2 years The opinion shall be provided within 2 years
from the date of entry into force of this from the date of entry into force of this
8
Directive.
Directive.
2. The Commission shall make the opinion 2. The Commission shall make the opinion
available to assist Member States and obliged available to assist Member States and obliged
entities to identify, manage and mitigate the risk entities to identify, manage and mitigate the risk
of money laundering and terrorist financing.
of money laundering and terrorist financing.
1. The Commission shall take the necessary steps
to identify, understand and assess the money
laundering and terrorist financing risks affecting
the internal market, with specific reference to
cross-border phenomena, in cooperation with
EUROPOL, the Committee of European FIUs,
EBA, EIOPA, ESMA and other relevant
authorities.
2. The Commission shall:
keep the assessment up-to-date;
make the results of its risk assessment
available to Member States, EUROPOL,
the Committee of European FIUs, EBA,
EIOPA, ESMA and other relevant
authorities
in
accordance
with
paragraph 1 ;
make appropriate information available
to obliged entities to carry out and
manage their own money laundering
and terrorist financing risk assessment.
3. In order to address the risks identified and to
identify the appropriate customer due diligence
measures, the Commission shall adopt the
necessary acts in accordance with the procedure
laid down in Regulation EU 182/2011.
4. The Commission shall be assisted by the
Committee on the Prevention of Money
Laundering and Terrorist Financing hereinafter
9
referred to as “the Committee”. The Committee
shall be a committee within the meaning of
Regulation EU 182/2011.
5. Member States may adopt or retain in force
stricter provisions than those envisaged in
accordance to paragraph 4.
Comments: the modifications of current article 6 of the draft text aim at strengthening the
provisions related to supranational risk assessment. Indeed it is not sufficient to provide an exclusive
role to ESAs and it is necessary to take into account other risk factors by involving other
stakeholders in the process. As a result of the risk assessment, the Commission will address the risks
identified and will decide the appropriate customer due diligence measures applicable through the
adoption of appropriate implementing acts. In case of low risk situations identified as such by the
Commission, MS remain free to adopt stricter measures at national level.
10