In this article we meet Chris Mangioni, an associate director at the compliance consulting firm of Protiviti and, before 23rd June, an AML officer at Deutsche Bank. We discuss the EU’s new regulatory technical standards for group-wide AML policies and the likelihood of 5MLD saving banks money.

The article is in the form of a question-and-answer session.

Q: Are any new rules on the immediate horizon?

A: There is a new requirement coming from 4MLD, a requirement that banks and fintechs are struggling to meet. It kicks in on 3rd September and they’re not ready. On 14 May, two months ago, the EU gave firms until 3rd September to do a full assessment of every non-EEA (European Economic Area) country that they conduct business with. The countries that contain their branches are in, but they must also do a country-by-country assessment of whether those countries fall below the requisite standards. To be subject to this, you need an EEA home regulator, which sets 4MLD as the standard.

Q: What if your organisation is an American private bank?

A: If you are an American bank, you are off the hook. The US is considered to have equivalence. If that’s the case, it’s ‘end of story.’ Put it to bed.

So the bank has to work out which non-EEA countries it operates in, then do the country-by-country analysis, asking itself “what are the strict standards?” (Saudi Arabia comes to mind – there you need to log every ultimate beneficial ownership that goes over 5%, whereas in most countries it’s 10%.) If you go higher, it's good! If lower (if, for example, they have information-sharing restrictions) and they cannot comply, so many banks at the moment are asking themselves “are we comfortable with the risk?” when they should be talking to their regulators about it.

So they should be checking to see if the country has a similar AML status, then they should check to see whether it falls short (i.e. whether its standards are below EU ones), then they should report the shortfalls to their regulator within 28 days maximum – that is their home regulator, their member-state regulator. They ought to consider whether they could get the customer’s consent to giving the information to the regulator.

Q: What lists should they look at?

A: They need to use the European Commission’s high-risk non-EEA country list as the basis for their searches but that’s only the starting point. They should then look at the FATF list of countries of strategic deficiencies. They should definitely include them but then they should look at other non-EEA countries that they have operations in, working through subsidiaries or branches.

I don't think that most of the smaller private banks and asset management companies are doing this. The fintechs come into scope in 4MLD and I don't think that they know this exists.

Q: What else should you be doing to deal with country risk?

A: You should be doing Russia, and the update to 4MLD says that you need senior management sign-off (appropriate at group level – I would say that you’d have to get it from the main board) for your obligation to do those risk-assessments for countries where you have an established branch or subsidiary. There is a general obligation to do this for each non-EEA country. A large firm such as Deutsche Bank might have an umbrella group risk assessment that drills down to CBC (country-by-country) assessments and they sign it off in one go. For smaller firms that's a nice-to-have rather than essential.

They should do EDD (‘extra due diligence’) on any country they have assessed to be high risk in their CBC assessments. EDD ought to consist of:

• onsite vists – spot checks, file reviews;
• independent auditing; and
• enhanced training.

That's the first and biggest point about 4MLD.

4MLD requires that for any European Commission high-risk non-EEA countries where there’s a business relationship existing, they should do EDD on those clients using monitoring and greater scrutiny of those clients. I think that banks are still using stock-standard EDD and not tailoring it, increasing the degree of monitoring. Saudi Arabia is now on the list – what are they doing to enhance their EDD on that? The European Commission does not list the country as high risk but they have great concern about it.

Q: 5MLD is in the pipeline – what should we be doing about that?

A: 5MLD is about the warning signs. EU countries have to observe it by 10 January 2020 at latest. I understand that there will be no further grace period. The [national] laws are still not finalised, but your firm’s implementation should be ready.

A lot of new entities are in scope. They include cryptos and virtual currency firms. From a current banking perspective, 5MLD is not as material a change as 4MLD. Under 4MLD it said that you had to do EDD for anyone in a high-risk non-EEA country. Now it's if the customer is ‘involved’ in one.

5MLD helps with remote and electronic verification, and it will help firms share more information with each other. This will save banks money.

Q: Surely there is another thing in 5MLD that will save banks money – the fact that there are to be many more reporting entities in new fields. Banks will therefore be able to rely on them for the verification of customers’ identities, economic purposes etc.

A: Reliance has been pushed to the margins. Banks are becoming less and less willing to rely on other firms because they are ultimately accountable for any mistakes.