European Supervisors Outline Financial Sector’s AML Weak Spots
04 Nov 2019

A recent joint report by the European Banking Authority (EBA), the European Securities & Markets Authority and the European Insurance and Occupational Pensions Authority (the Joint Supervisory Authorities, or JSAs) has highlighted current money laundering and terrorist financing risks to the EU’s financial sector participants.

Transaction monitoring and suspicious activity reporting remain a concern, whilst enterprise-wide and customer risk assessments continue to be challenging for firms across the sector, the supervisors concluded.

Inconsistent implementation of the 4th EU Money Laundering Directive (4MLD) presents a challenge as do divergences between 4MLD and other EU legislation on authorisations and the “fit-and-proper” criteria. New technologies can help firms in the fight against financial crime, but they can also increase the sector’s vulnerabilities if they are not understood and mitigated, they said. Virtual currencies also present risks as they facilitate anonymity and they are inconsistently regulated across the EU.

The JSAs identified a number of cross-sector risks that are worthy of note:


With the probability of the UK leaving the EU, money laundering and terrorist financing risks may increase as firms relocate from the UK or transfer business activities to another member-state. In cases where regulators do not have adequate resources or a thorough understanding of the new activities taking place in their jurisdictions, enhanced risks may surface, the report found.

Where a UK firm establishes a “shell” firm in another member-state but with substantial business activities remaining the UK, the shell firm’s regulator may find it difficult to adequately supervise those activities. Furthermore, as 4MLD only sets minimum standards for national measures, the requirements of the “new home” member-state may exceed that of the UK. Accordingly, the “new” firm may have challenges in coming to terms with these higher standards.

As the UK will be a “third” country following Brexit, EU firms may have to revise their procedures and controls regarding correspondent banking, funds’ transfers, third-party reliance arrangements and customer risk assessments. In the event of the UK leaving under a “no-deal” scenario, the exchange of information between EU national regulators may be impeded, according to the report.

New technology

The JSAs also noted that regulators across the EU believe that RegTech and FinTech present compliance risks, both now and in the future. FinTech risks include the provision of unregulated products, poor execution of CDD procedures, a weak understanding by FinTech providers of their regulatory obligations, a deficient compliance culture amongst providers, the implementation of new technologies to remotely onboard customers that could prove vulnerable to ID theft and an over-reliance on outsourcing arrangements with FinTech providers that don’t have adequate oversight controls.

EU regulators identified many RegTech risks, including an over reliance on RegTech causing a loss of human expertise and judgement in monitoring cases, the lack of an adequate legal framework, firms not understanding that RegTech and a lack of oversight when using outsourced RegTech firms.

Virtual currencies

The 5th EU Money Laundering Directive (5MLD), to be implemented in January 2020, provides a legal framework for the use of virtual currencies. Nevertheless, the JSAs cite a number of risks associated with virtual currencies, including that a lack of understanding of these products and services could prevent the completion of proper risk assessments and the implementation of adequate CDD controls for online transaction processing.

With FATF’s decision to look beyond virtual currencies to “virtual assets” and other block-chain products, EU legislation is now out of step with  FATF guidance, according to the report. Accordingly, further EU legislation is required.

Legislative divergence

Because EU money laundering directives impose minimum standards for member-states, nations have interpreted their obligations in different ways, particularly when it comes to determining what a “risk-based approach” means, the report noted.

Differences in interpretation and implementation of the directives have lead to some firms choosing to be regulated by more permissive regulators and then “passporting” services into other EU countries. Also, given different interpretations by national “home-state” regulators of EU legislation on the authorisation of firms and their senior executives, risks may arise across the EU where firms “passport” services across the Union, even though “host country” regulators may not have authorised the firms in question if they had the opportunity to do so.

Additionally, the JSAs note that real or perceived legal impediments impede the cross-border sharing of information between regulators on firms offering international services. Provisions in 5MLD attempt to address these impediments.

Supervisory practices

Both FATF and Moneyval have questioned the supervisory practices of some regulators. Politicians have found some regulators to be defective, while the EBA ruled the Maltese regulator breached EU law when supervising Pilatus Bank.

While the risk based approach may result in different approaches being adopted by regulators, the JSAs note that some regulators based their assessment on just one factor, while some others appear to have “cut and pasted” another regulator’s assessment without considering local factors. In some cases, the JSAs found that regulators adopted an holistic approach rather than a sector specific approach. Additionally, some regulators’ resource allocations, particularly staff, did not align with their own assessments of each sector’s risks.

Internal controls

While most national regulators have noted that firms’ internal controls have improved since 2017 and are now deemed to be “adequate” in regard to recordkeeping, CDD and suspicious transaction reporting, some concerns remain. It appears that procedures are not, in practice, consistently effective, the report found. Particular weaknesses include the quality of group-wide money laundering and terrorism financing assessments, the effectiveness of suspicious transaction reporting and inadequate transaction monitoring. Many regulators assessed these particular controls to be “poor” or “very poor”.

National regulators reported that the most common breaches of regulatory obligations were related to CDD, the overall ML/TF procedures and customers’ risk assessments. Regulators considered firms’ controls over beneficial owners to be “inadequate”. Whilst the current absence of a beneficial owners central register in some member-states may be a factor in this assessment, the JSAs advise firms that exclusive reliance on a register is not permitted for identification purposes.

Terrorism financing

The JSAs consider that firms systems and controls in sectors particularly vulnerable to TF remain weak. Of particular concern is transaction monitoring, particularly where firms place greater reliance on CDD to identify TF. Firms are reminded that sanctions screening is not an adequate substitute for effective TF controls as, often, TF emanates from individuals who are not subject to any sanctions.

The lack of an adequate flow of information from law enforcement agencies to firms impedes firms ability to identify TF. Equally, the disruption of terrorist activities and networks is restricted by firms failing to provide relevant, timely information to the authorities. While some member States have public/private information sharing mechanisms, firms are reminded that such initiatives are additional to, and do not replace, the usual suspicious transaction reporting.


Financial exclusion of customers deemed to pose a higher money laundering risk may result in transactions being conducted in informal or unregulated payment mechanisms outside the view of regulators, the supervisors said. Firms are reminded that the risk-based approach does not require them to refuse or terminate business relationships with an entire category of customers. Rather, they should assess the risks of individual customers. Member-states are encouraged to ensure that legitimate customers are not denied access to financial services, as otherwise the overall ML/TF risk across the EU may increase.

Sector specific risks

The JSAs also analyse the risks that are specific to each sector. For reasons of space, only those sectors that are deemed to be high-risk will be discussed below, but KYC360 readers should be aware that the life insurance companies, life insurance intermediaries, other credit providers, investment firms and investment fund sectors are adjudged to be low- or lower-risk.

Credit institutions

Credit institutions are assessed to inherently risky as they are often the first point of entry to the financial system. The use of cash exposes credit institutions to vulnerabilities, while cross-border transactions are considered to present significant and moderately significant ML/TF risk, particularly for member-states that contain international financial centres. Offshore corporate customers and individual customers from high-risk countries also increase the sector’s inherent vulnerabilities.

Although the controls operated by credit institutions are judged to be generally good or very good, concerns remain, particularly in regard to transaction monitoring and the reporting of suspicions. Risk assessments are problematic in that many group-wide assessments and individual business relationship assessments are inadequate.

Regulators remain troubled by the quality and effectiveness of controls when operated in practice and firms’ level of understanding of the risks they are exposed to. Accordingly, significant concerns are expressed over the ability of institutions to effectively detect and deter money laundering and terrorist financing.

Overall, after assessing inherent risks and controls, regulators deem the sector’s risk profile to be significant or moderately significant, which is unchanged from the previous report. The JSAs suggest that as the overall risk is the same as the inherent risk, the sector’s controls that are in place are not effective in mitigating its overall weaknesses.

E-money issuers

Most regulators assess the overall inherent risk to this sector to be significant or moderately significant and a similar view prevails of the sector’s risk to cross-border transactions. The quality of the sector’s controls vary from poor to very good in the eyes of the regulators. Weakness were identified in transaction monitoring and governance arrangements.

Payment institutions

The majority of national regulators believe that payment institutions and their services have an inherent risk that is either significant or very significant, according to the report. Of particular concern are those institutions that offer money remittance services, which are often cash-intensive, high-speed and high-volume payments to high-risk jurisdictions. Risks are often increased due to the use of networks of agents that may collude with criminals. The risk accruing from cross-border transactions is also rated to be significant or very significant. This level of risk has led to some banks “derisking” of such customers with links to certain high risk countries.

National regulators assessed the controls operated by the sector’s participants to range from good to very poor. Concerns were expressed about the level of awareness of ML/TF risk, inadequate customer and group-wide risk assessments, transaction monitoring and suspicious activity reporting. Governance of agent networks, their risk awareness and the lack of training were frequently mentioned.

Regulators considered the sector’s overall risks to be significant or very significant. In contrast, sector representatives believe the overall risk to be “medium”, the report noted.

Bureaux de change

Regulators assessed this sector’s inherent risk to range from very significant to less significant. Risk-increasing factors include the prevalence of cash transactions, the anonymity of transactions, the proximity to borders and the customer base of migrants, tourists, cross-border workers and asylum seekers. However, the report recognizes that the majority of firms presented a less significant risk.

The adequacy and effectiveness of ongoing monitoring is of concern to regulators as is the reporting of suspicions activity and customer-risk assessments as relevant controls. The sector’s overall risk assessment is judged to be significant or very significant due to poor implementation of controls and the lack of awareness of regulatory obligations.


KYC360 readers in the EU would be well advised to carefully consider the JSAs report. All firms should consider how they can address and mitigate the cross-sector risks identified by the international regulators. Special attention should also be afforded to the relevant risk analysis for each firm’s sectors as it is probable that the firm’s regulator has contributed to the risk analysis. Ignoring or disregarding their efforts may turn out to be a short-sighted policy.

Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.

He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.

RiskScreen: Eliminating Financial Crime with Smart Technology

Advance your CPD minutes for this content, by signing up and using the CPD Wallet