With the European Parliament and EU Council of Ministers finally approving a major overhaul of EU anti-money laundering (AML) laws, accountants in the bloc will have to change their practices to comply with tighter laws. The key impact will come under a new comprehensive AML regulation, a legal instrument that must be followed to the letter – member states would have had more leeway on implementation if an AML directive had been issued, as has always been the case previously.
‘Directives require implementation by jurisdictions, so there have been inconsistencies in how legislation was framed, applied and supervised,’ explains Angela Foyle, AML working party chair for Accountancy Europe. ‘The aim of this package is consistency in processes, procedures and expectations.’
‘You can’t outsource key decisions such as whether to accept or reject a client’
Key changes
One key change, she says, is a new requirement for accountancy practices to create a compliance officer role to run AML compliance programmes. Compliance officers have been specifically protected against reprisals for whistleblowing, with supervisory AML authorities having to be notified if compliance officers are dismissed as a result of AML compliance activity.
The new regulation clarifies and intensifies customer due diligence rules to ensure that accountants know their clients are not involved in criminal activity. The rules on outsourcing outside the EU have also been amended. Foyle says: ‘You can’t outsource certain key decisions such as whether to accept or reject a client, and there are restrictions on outsourcing to high-risk countries.’
Changes in the beneficial ownership requirements mean that accountants know who owns a corporate client or controls an individual’s wealth, and the new laws clarify how to assess both formal ownership and effective control. ‘There’s going to be quite a lot of analytical work around that,’ Foyle points out.
PEPs and STRs
The law also covers special checks on ‘politically exposed persons’ (PEPs) – influential people who face a higher level of bribe risk. Member states have been told to publish categories of people who fall into the PEP classification. The regulation also reinforces rules on how and when accountants make and issue a suspicious transaction report (STR) to their national financial intelligence unit when they have money laundering concerns about a client.
An STR must be filed under the regulation when an auditor, external accountant or tax adviser realises they are ‘taking part in money laundering or terrorist financing’ through helping their client. The same applies when a ‘client is seeking legal advice for the purposes of money laundering, its predicate offences or terrorist financing’, with external accountants and auditors inferring these problems ‘from objective factual circumstances’.
These responsibilities do not apply to in-house accountants unless they themselves are working for other businesses (‘obliged entities’) that have AML duties, such as banks, fund managers, casinos and currency exchanges. Internal accountants who work for an obliged entity may have to screen clients for dirty money, especially when in client-facing roles.
New anonymous accounts are banned and existing ones subject to customer due diligence
The regulation bans anonymous accounts, which could impact accountancy practices. While these requirements were formally in place under the 2015 fifth EU AML directive, implementation will be standardised across the 27 member states and become more onerous. The text says: ‘Credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous bank and payment accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset accounts…’
Owners and beneficiaries of existing anonymous accounts will henceforth be subject to customer due diligence measures before those accounts, passbooks or deposit boxes can be used. The reform extends AML requirements, such as customer due diligence and STR filing, to much of the crypto-sector, luxury goods traders and EU football (soccer) clubs and agents.
AMLA
The creation of a new EU-level Anti-Money Laundering Authority (AMLA) with powers to take over the supervision of financial industries and professions when national supervisors fail to do so properly is also of relevance. While this does not apply to accounting supervisory bodies, AMLA has the authority to coordinate the AML work of these professional organisations.
Where AML supervisory organisations are private (for example, professional bodies), member states must now create public overseers to liaise with AMLA. The relationship with the existing supervisor may be similar to that in the UK under the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) since 2018.
AMLA can issue a warning to non-compliant accounting AML supervisory bodies
‘If I was a professional body regulator knowing I was going to have a statutory body overseeing me, then I think I would be expecting to have challenge and pushback [from the new supervisory body],’ Foyle says. ‘With any new change, people always want to bring in new ideas.’
She adds that that might especially be the case in jurisdictions where there are recognised AML weaknesses. This is because AMLA will itself supervise these new public bodies and can ‘coordinate peer reviews of supervisory standards and practices and request non-financial supervisors … ensure the observance of AML requirements in their sphere of competence.’
Where AMLA finds accounting AML supervisory bodies are failing to uphold EU AML laws ‘and such breaches are not rectified … it should issue warnings’. The authority should be fully operational in 2025, and will be based in Frankfurt, Germany’s financial centre and home to the EU’s key financial regulatory body, the European Central Bank.
Beneficial ownership
Meanwhile, some elements of EU AML policy will remain shaped by a directive. The EU’s sixth AML directive will include rules on how member states operate and provide access to beneficial ownership registers. Under the fifth directive, the public was supposed to have access to these databases, but a November 2022 European Court of Justice case ruling that this breached EU privacy rights prompted a rethink.
The general access rights are now gone, but the sixth directive requires member states to allow access to EU accountants and other professionals wishing to avoid doing business with criminals; these rights may sometimes be offered to non-EU accountants. Indeed, the law allows member states, if they wish, to expand such rights to all obliged entities, such as accountants who have duties to report suspicious transactions to financial intelligence units.
Journalists and civil society groups probing money laundering also have rights to access these registers under the law, which could expose accountants to reputational risk, if unwelcome publicity emerges about clients.
‘Accountants are going to have to do remediation and see if their standards are appropriate’
What to do
Change is in the pipeline for European accountants on AML and combatting the financing of terrorism (CFT). PwC’s advice is that accountants ensure major banking clients conduct ‘a thorough assessment and gap analysis of their existing [AML/CFT] governance framework, internal policies and procedures, as well as internal controls’.
According to KPMG, major financial clients need to prepare for ‘tougher AML regulatory standards and more intrusive supervision’ and undertake ‘detailed country-by-country analysis of existing policies and practices against the new requirements…’
Foyle says accountants should start reviewing the changes now. They have three years until the new regulation comes into force (by June 2027). ‘You need to start thinking about what the implications of this might be for existing clients,’ she says. ‘You’re going to have to do remediation and see if your standards are appropriate. If you’re a small firm, you may need to engage with a professional body to see what guidance and advice they can give.’
One issue may be liaising with clients over additional information required, especially if there are related data protection requirements, she adds. It is good practice to periodically update information such as beneficial ownership and know your customer, so ‘why not update it as you’re looking at those over the next three years’, and maybe ‘start with what you think are the higher-risk clients’.