EU efforts to fight money laundering in the banking sector are fragmented and implementation is insufficient

Executive summary

I

Money laundering is the practice of “legitimising” the proceeds of crime by filtering them into the regular economy to disguise their illegal origin. Within Europe, Europol estimates the value of suspicious transactions in the hundreds of billions of euros – at an equivalent of 1.3 % of the EU’s gross domestic product (GDP). Global estimates are close to 3 % of world GDP.

II

The EU adopted its first anti-money laundering directive in 1991, most recently updated in 2018, to counter threats to the internal market from money laundering, and, subsequently, to prevent terrorist financing. The anti-money laundering directive relies on implementation at national level for effect.

III

A number of EU bodies play a part too. The Commission develops policy, monitors transposition, and carries out risk analysis. The European Banking Authority (EBA) carries out analysis, investigates breaches of Union law, and sets detailed standards for use by supervisors and industry. In 2020, the EBA’s legal mandate and powers in respect of anti-money laundering and countering the financing of terrorism (AML/CFT) were substantially increased. The European Central Bank (ECB) takes money laundering and terrorist financing (ML/TF) risk into account in the prudential supervision of banks in the euro area and, since 2019, has been sharing relevant and necessary anti-money laundering and countering the financing of terrorism (AML/CFT) information with national supervisors.

IV

Given the importance of EU AML/CFT policy and the current momentum for reform, we decided to audit aspects of its efficiency and effectiveness. Our report is intended to inform stakeholders and provide recommendations to further support development of policy and implementation. We looked at the EU’s actions in this field by focusing on the banking sector by asking whether the EU’s action is well implemented.

V

Overall, we found institutional fragmentation and poor co-ordination at EU level when it came to actions to prevent ML/TF and take action where risk was identified. In practice, AML/CFT supervision still takes place at national level with an insufficient EU oversight framework to ensure a level playing field.

VI

The Commission is obliged to publish a list of countries outside the EU (“third countries”) which pose a money-laundering threat to the internal market. There were shortcomings in relation to communication with listed third countries, and a lack of cooperation by the European External Action Service. Furthermore, to date, the EU has not adopted an autonomous list of high-risk third countries. The Commission also carries out a risk assessment for the internal market every two years. This risk assessment does not indicate changes over time, lacks a geographical focus, and does not prioritise risk effectively.

VII

We found that the Commission was slow to assess Member States’ transposition of directives due to poor-quality communication by Member States and limited resources at the Commission. European Banking Authority staff carried out thorough investigations of potential breaches of EU law, but we found evidence of lobbying of its Board of Supervisors who were part of a deliberative process. We also found that the European Central Bank has made a good start in sharing information with national AML/CFT supervisors, although some decision-making procedures were slow. The quality of material shared by the supervisors also varied considerably due to national practices, and the EBA is developing updated guidance.

VIII

We recommend that the Commission should:

1. prioritise ML/TF risk more clearly, and liaise with the European External Action Service for listed third countries.
2. make use of regulations in preference to directives where possible;
3. put in place a framework for making breach of Union law requests;

IX

We recommend that the European Banking Authority should:

1. put in place rules to prevent other Board of Supervisors members from seeking to influence panel members during their deliberations;
2. issue guidelines that facilitate harmonised information exchanges between national and EU-level supervisors.

X

We recommend that the European Central Bank should:

1. put more efficient internal decision-making procedures in place;
2. make changes to its supervisory practices once guidance from the European Banking Authority is in place.

XI

The forthcoming legislative reform is an opportunity for the Commission, the European Parliament and the Council to address the weaknesses identified and to remedy the fragmentation of the EU AML/CFT framework.

Introduction

What is money laundering?

01

Money laundering can occur right across the economy, from gambling to commodity trades and property purchases. However, at some stage launderers usually need to use the banking system, particularly when converting and moving illegal proceeds (known as “layering”). For more detail on how money laundering works, see Figure 1. Indeed, the most recent Eurostat figures¹ show that over 75 % of suspicious transactions reported came from credit institutions in more than half of EU Member States. Therefore preventive measures in the banking sector can be an effective tool for breaking the cycle of money laundering.

02

A related threat to money laundering is terrorist financing, see Box 1. Policies to tackle money laundering and terrorist financing (ML/TF) are linked and generally dealt with by the same instruments, referred to as anti-money laundering and countering the financing of terrorism (AML/CFT).

Public policy to counter money laundering

03

National AML policies to prevent and punish money laundering go back to the 1970s. Globally, the key body in this regard is the inter-governmental Financial Action Task Force (FATF), which was established by the G7 in 1989 and is based in Paris. The 39 members of the FATF include the United States, Russia and China, as well as the European Commission and 14 EU Member States.

04

The FATF sets standards and promotes effective action for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. Its guidance now covers preventive measures for financial institutions, as well as the recommended powers of regulators, supervisors and law enforcement bodies. It facilitates ‘Mutual Evaluation Reports’ (MERs), a system of periodic peer reviews among its members to assess how well its standards and recommendations are being put into practice. The EU does not focus on peer review of implementation at national level to the same extent as in the FATF approach.

05

In 1991, building on the FATF standards, the EU adopted an anti-money laundering directive (AMLD) to prevent criminals from taking advantage of the free movement of capital in the internal market, and to harmonise the Member States’ efforts to tackle money laundering. The EU has since updated the AMLD four times, as FATF standards have evolved, tightening the rules each time. This has been to reflect the growing recognition at global level of the adverse effects of money laundering and new techniques used by money launderers, while strengthening the framework through other criminal law legislation. More detail on the legal framework can be found in Annex I.

06

Prosecution and enforcement for money laundering offences in the EU is at the discretion of Member States, which apply varying prosecuting standards and penalties. Of the other FATF countries, the United States generally follows a more punitive regime in its enforcement of money laundering rules and penalties, and cases in recent years have seen large fines and other penalties imposed on EU banks operating in the US. For more details see Annex IV.

Responsibilities of the EU and the Member States

07

The EU AML/CFT framework has to date mostly taken the form of directives under Article 114 TFEU. This contrasts with other areas of financial services legislation where a hybrid approach of both regulation and directive has become more common. Therefore for AML/CFT, EU bodies provide policy development, guidance, and oversight; but the law is implemented in the Member States. There is no single EU-level AML/CFT supervisor. Designated national AML/CFT supervisory bodies have the job of ensuring that financial and other institutions covered by the AML/CFT rules comply with their obligations, and of taking corrective action if they do not. This can include financial penalties and restrictions on conducting business. Financial institutions are also obliged to report suspicious activity to their Member State’s financial intelligence units (FIUs), see also Figure 2.

08

Compared to the United States, the EU does not have a single money-laundering supervisor for any sector. Each Member State has a supervisor (or supervisors) competent to supervise banks, and indeed other 'obliged entities'. EU bodies have limited direct powers. Behaviour by supervisors is very different, potentially leading to unequal treatment across Member States². In the United States the Financial Crimes Enforcement Network (FinCEN) is the primary AML/CFT regulatory body and monitors banks, financial institutions and individuals. FinCEN’s actions have a global reach as it has the power to prohibit banks outside the US from having correspondent banking relationships with US banks if it has reasonable grounds to conclude that a bank is of primary money laundering concern³.

09

The Commission’s Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA)⁴ coordinates EU policy on anti-money laundering and countering terrorist financing. The Commission is responsible for highlighting risks to the EU’s financial system and making appropriate recommendations to relevant stakeholders. It is also in charge of policy development and of ensuring that the EU legislation is transposed and implemented in Member States. The Commission therefore has the key role to play in facilitating the creation of a robust AML/CFT framework in the EU. The European External Action Service (EEAS) and Europol also have a role to play in producing relevant intelligence on ML/TF for use by the Commission.

10

The European Banking Authority (EBA) is since 2020 responsible for leading, coordinating and monitoring the EU financial sector’s fight against money laundering and terrorist financing. Before then, its work covered only the banking sector including the drafting of regulatory instruments, such as guidelines, opinions on ML/TF risks, and reports. The EBA also has powers to investigate suspected breaches of EU law by national supervisors in this regard. The EBA does not have supervisory or enforcement powers.

11

The European Central Bank (ECB) is responsible for prudential supervision of large banks in the euro area. Prudential implications of ML/TF risks have increasingly become a topic of interest for the ECB, as ML/TF risk can lead to supervisory challenges, and reputational risk for the sector as a whole. Since 2019 the ECB has begun to integrate AML/CFT considerations in its prudential supervision, which is dealt with through the Supervisory Review and Evaluation Process (SREP). With the support of the EBA and the other ESAs, it has signed an exchange of information agreements with around 50 AML/CFT supervisors, and ECB supervisors assess the information, incorporate it in their prudential supervisory work and, if necessary, take the appropriate prudential measures.

12

Europol supports Member States in their fight against money laundering and terrorist financing. The key EU players are set out in Figure 2.

Policy state of play

13

One of the key aspects of the current policy debate on the EU AML/CFT architecture is the lack of central EU AML/CFT supervision, and how this leads to an uneven playing field⁵.

14

In May 2020, the Commission adopted an action plan on AML/CFT in the form of a communication including several pillars⁶, along with the publication of the revised methodology on the identification of high-risk third countries. The Commission will propose the establishment of a Single Rulebook, a single supervisory body for AML/CFT. This was subsequently broadly supported by the European Parliament⁷.

15

In November 2020, the Council issued conclusions⁸ broadly supporting these policy objectives. The legislative proposals to include the pillars set out in the preceding paragraph are expected from the Commission by mid- 2021.

Audit scope and approach

16

Given the importance of the AML/CFT policy in the EU, recent high-profile cases of ML/TF in the banking sector, and the current appetite for reform, we decided to audit aspects of its efficiency and effectiveness. Our report is intended to inform stakeholders and provide recommendations to support development of policy and further implementation.

17

The main audit question was whether EU action in the fight against money laundering in the banking sector is well implemented. Although our audit focus is the banking sector, the conclusions may be relevant to ML/TF policy for other sectors too. We have left financial intelligence units (FIUs) out of the scope of this audit. The sub-questions are:

• Does the EU produce a third-country list that identifies specific threats to the EU?
• Did the Commission appropriately assess the money laundering risks affecting the internal market?
• Did the Commission appropriately assess the transposition of EU legislation into national legislation?
• Did the Commission and EBA take timely and effective action in response to potential breaches of EU AML/CFT law?
• Did the ECB efficiently integrate ML/TF risks into its prudential supervision of banks and did it efficiently share information with national supervisors?

18

Our auditees were the Commission (mainly DG FISMA), the European Banking Authority (EBA) and the European Central Bank (ECB). Findings were also cleared with the EEAS. In addition, we conducted an electronic survey amongst the 27 member countries of the Expert Group on Anti-money Laundering and Counter Terrorist Financing (EGMLTF). The survey touched on aspects of ML/TF policy implementation at national level, such as risk assessment and transposition. We received answers from 20 countries. Reference to the survey is included throughout this report. We also conducted interviews with public authorities involved in AML/CFT policy and supervision from four Member States . We chose them for a range of size, location, and ML/TF risks faced. In several sections we carried out our detailed work using a sample of either Member States or banks, with the selection criteria explained in the respective sections. We discussed our preliminary findings with an expert panel.

19

Our audit criteria are drawn from the international standards set by the FATF⁹ and the Basel Committee on Banking Supervision¹⁰. The legal framework (AMLD, CRD, SSMR and EBA Regulation) and relevant guidelines issued by the EBA were also used. For the EBA’s activity we carried out benchmarking against its specific sets of rules of procedure, where relevant. With regard to transposition, we referred to the Commission’s own Better Regulation guidelines. For the risk assessment carried out by the Commission, we applied the relevant risk assessment standards.

Observations

The EU’s list of risky third countries is not tailored to the potential threats to the EU

20

The Commission is legally obliged to identify countries outside the EU that have strategic deficiencies in their national AML/CFT framework that pose a risk to the EU’s financial system¹¹. The Commission adopts the list of high-risk third countries by way of a “Delegated Act”¹² When the Commission identifies such third countries¹³, it means that obliged entities (including banks) within the EU are immediately forced to apply much stricter measures (specifically enhanced due diligence) when dealing with individuals and firms in the countries on the list. This is to protect the proper functioning of the internal market and to limit the flow of laundered money into the EU. There are over 200 countries and territories which the EU must consider. Putting a country on the list can lead to delays and costs in doing business for EU firms and citizens who want to do business with these countries, and indeed vice versa. It can also lead to de-risking, which is where firms strategically withdraw from market segments due to the regulatory burden.

21

We assessed whether the Commission’s process for generating a third country list is efficient and effective, by reference to the relevant standards.

The Commission’s method of gathering inputs to generate a third-country list was efficient, but was hindered by a lack of timely co-operation on the part of the EEAS

22

The AMLD obliges the Commission to consider reliable and up-to-date information sources when making its assessments, including the third countries’ AML/CFT frameworks. As a first step, in July 2018, the Commission adopted and published a staff-working document that represented the working procedure for identifying third country jurisdictions¹⁴ (“the 2018 methodology”).

23

The methodology is built on AMLD requirements, and FATF standards, methodology, and best practices. It also takes the FATF listing procedure as the baseline for EU policy toward third countries, and adds country-specific intelligence gathered by Europol and the EEAS. The starting point is the most recent Mutual Evaluation Report (MER) prepared by the FATF, or relevant regional body. The Commission’s approach is somewhat different from that of the US. The US approach allows for different levels of third-country risk, and is more sanctions-driven.

24

The Commission also has other listing processes which in effect tackle ML/TF threats from outside the EU, specifically the list of non-cooperative tax jurisdictions for tax purposes, and also the list of restrictive measures (sanctions). These are compared in Annex III. Both the tax and sanctions lists are designed to encourage change outside the EU, while the AML/CFT third-country list is mainly defensive in nature. Also, both these other lists are the result of Council decisions.

25

The methodology (see paragraph 22) also obliges the Commission to gather input from Europol and the EEAS because they have the relevant expertise, including country-specific information also on ML/TF risk in third countries in the EEAS’s case. During the scoping and prioritisation exercise, the Commission formally requested information related to the identification of the third-countries from both Europol and EEAS.

26

Table 1 illustrates the timeline followed by the Commission in generating and updating the third country list.

27

Europol provided the Commission timely and consistently with information for the scoping and prioritisation exercises. The EEAS did not initially provide any of the information requested in writing by the Commission, providing input to the process only later. The lack of country-specific information at the time it was initially requested reduced the efficiency of the process.

28

There were also issues to be faced in relation to engagement with third countries. The methodology obliged the Commission and the EEAS to engage in a coordinated manner and to ensure that the third country concerned would be updated, fully and in good time, on the adoption of the Delegated Act. We did not find evidence that this happened in a thorough manner.

29

The Commission adopts the list of high-risk third countries by way of a “Delegated Act”. This obliges the Commission to consult expert groups of Member State representatives before adoption.

30

The Commission communicated with the Council via the EGMLTF and asked for input on the preparation of the countries’ risk profiles, the AML/CFT assessments, and on the draft Delegated Act. During the consultation on the preparation of the country risk profiles and AML/CFT assessments (“country fiches”) in November 2018 (see Table 1); almost half of the Member States provided relevant input to the Commission.

The Commission assessments are complete but relied heavily on FATF reports

31

The methodology obliges the Commission to prepare country profiles for each assessed country, describing threats and risks and, based on the analysis of eight building blocks, to make an overall assessment of the level of deficiency of the third country concerned.

32

Based on our analysis of a sample of ten countries, we conclude that the Commission managed to gather information effectively on third country risks and compile it into individual country profiles that it used for its assessments. In general, the country profiles included complete and relevant information in most cases, compiled from both internal and publicly available sources of information. However, they rely heavily on MERs done using FATF methodology, and some of these are up to a decade old.

33

The Commission methodology does not use any weights or scoring criteria assigned to each building block and/or assigned rating with the choice of jurisdictions being ultimately based on expert judgement. However, in our sample we did not identify any inconsistency between jurisdictions selected or not selected by the Commission.

The first attempt at an autonomous EU third-country list failed, and as a result the EU’s current list does not go beyond the FATF list

34

The Commission adopted the Delegated Act on the 13 February 2019; identifying 23 high-risk third countries (see Table 1). The Delegated Act could only enter into force if the European Parliament and the Council, within a period of a month of the notification of the act, did not object. On 7 March 2019 the Council decided unanimously to reject the draft list put forward by the Commission. Many Member States expressed concerns that the consultation process with them had been rushed. By contrast, the Parliament endorsed the Delegated Act in its resolution of 14 March 2019.

35

After the Council’s rejection, the Commission proceeded to propose a new Delegated Act in May 2020 (see Table 1). This was done based on alignment with the FATF process by only considering countries listed and de-listed by FATF. This list was more limited in scope. It was not rejected by either Parliament or Council and is currently in force. For information, we show the February 2019 list highlighting the countries which were not on an FATF list at the time (see Table 2).

36

Overall the process to draft an autonomous EU third country list has not been effective. To date, the EU has not agreed on a third-country list that goes beyond the FATF list in force, and which addresses specific EU-related threats. The chosen response to risk is only at the country level, and does not target the entity or sector like with the EU sanctions list.

37

In May 2020 the Commission also published a refined methodology to be used for the next listing process which is currently being implemented. It builds on the previous methodology, and will involve greater engagement with third countries. This will in effect mean that listing a new third country could take up to 12 months. Our observations about the shortcomings of the previous methodology are still relevant for the implementation of the current methodology.

The Commission’s risk analysis for the EU internal market lacks geographical focus, prioritisation and data

38

The AMLD4 obliges the Commission to assess the specific ML/TF risks affecting the internal market and relating to cross border activities and to report every two years or more frequently if appropriate. This is known as the Supra National Risk Assessment (SNRA). The first SNRA was produced in 2017 and the second in 2019. The purpose of this type of risk mapping is to spot the depth and location of issues in the Union in order to help to set up appropriate corrective actions. It is also a key tool for policymakers and banks alike, showing them where to focus their actions to best reduce ML/TF risk. Member States are also obliged to produce a national risk assessments (NRA) but we did not assess these. The Commission is also obliged to collect statistics from Member States on quantitative volumes of money laundering.

39

We assessed whether the Commission’s process for generating an SNRA and publishing statistics was efficient and effective, by reference to the relevant standards.

The Commission’s methodology does not prioritise sectors based on risk, does not have a geographical focus, and does not show changes over time

40

The Commission’s methodology is built on the FATF’s approach. This approach provides all the necessary details in line with risk management standards. (see Table 3).

41

The approach used to perform the SNRA aims to assess vulnerabilities detected at EU level through a systematic analysis of the money laundering risks linked to the techniques used by potential perpetrators of money laundering and terrorist financing.

42

The Commission’s work for the 2019 SNRA consisted of an analysis and accompanying assessment for each of the 47 products or services, outlining the relevant threats, vulnerabilities and conclusions; see Table 3.

43

Updates to the SNRA were created using information from ongoing exchanges with stakeholders, including Member States, professional organisations, and NGOs. In our survey, 50 % of Member States concluded that the SNRA was very useful for developing policy at national level, with 40 % responding it was somewhat useful.

44

The Commission does not present sectoral assessments by priority level (overall score: threat multiplied by vulnerability for instance), but presents them by professional sector. There is, however, a summary of the risks for the sectors included in the accompanying communication from the Commission. The Commission did not make an assessment per sector of whether the level of overall threat or vulnerability rose between 2017 and 2019. In addition, the lack of comparable statistics makes it more difficult for the Commission to compare threats from the different sectors (see also paragraph 48).

45

The risk assessment methodology designed by the Commission with the help of the EGMLTF considers the impact of the residual risks identified after analysing the threats and vulnerabilities as “constantly significant” in all cases. This is evidence of a lack of prioritisation in the exercise.

46

For our analysis, we selected a sample of three out of the 47 products and services (e-money; brokerage and wealth management- private banking), as they are relevant to the banking sector and had high vulnerability scores. Our findings are as follows:

• although we noticed input from various stakeholders on the draft fiches, it was not possible to clearly link this to the assessment made;
• we found that the changes of score were not substantiated, especially where the conclusions became more critical;
• there is no geographical focus in the risk assessment, even though this would be relevant for some sectors ;
• the Commission is allowed to make updates, between the biannual updates, for developments in sectors where innovation is rapid, but has never done so;
• for the follow-up of recommendations, two years may not be sufficient for the Commission to be able to check completion of actions.

47

The follow-up of the 2017 SNRA was performed when drafting the 2019 edition. For the three sectors reviewed, we found no clear mention of the conclusions of this follow-up in the SNRA 2019 at the level of sector. There is however, an overall follow-up of recommendations in the report from the Commission to the European Parliament and the Council¹⁶.

The Commission has not reported on ML/TF statistics

48

Historically, there have been few reliable estimates of the magnitude of money laundering in Europe, either by sector, by frequency of occurrence, or in monetary terms. Since January 2020, the Commission has been obliged to collect and subsequently report on statistics on matters relevant to the effectiveness of their systems to combat money laundering and terrorist financing. Member States are also obliged to submit such statistics to the Commission¹⁷. The Commission (DG FISMA) has taken steps to collect these data from Member States, although it has not reported on them to date. Furthermore, Eurostat does not have a methodology to collect and estimate quantitative volumes of money laundering.

49

Overall, we find that risk is not clearly prioritised by the Commission in its bi-annual assessment, and there is no geographical dimension. Furthermore, the Commission does not publish statistics on ML/TF that would allow for greater prioritisation in the exercise. Together, these reduce the ability of the Commission, policymakers, and obliged entities to take action to mitigate ML/TF risk.

Transposing EU AML/CFT legislation is complex, transposition is uneven, and assessment by the Commission is slow

50

The EU’s legal framework for the prevention of money laundering is almost entirely in the form of directives, which must be implemented in the legislation of Member States, rather than regulations. For a directive to take effect at national level, EU countries must adopt a national measure, usually a piece of legislation. If the Member State fails to implement EU law, the Commission has the ultimate power to resort to formal infringement procedures¹⁸ before the Court of Justice of the EU.

51

Our audit examined whether the Commission is assessing the transposition of the EU AML/CFT legal framework effectively¹⁹ by reference to the relevant standards including the AMLD, the Commission’s own Better Regulation guideline, and other internal guidance. To answer this question, we assessed the Commission’s checking of AMLD4. It entered into force on 15 July 2015 and the 28 Member States were obliged to transpose this Directive into national law and to communicate all national transposition measures to the Commission by 26 June 2017. Nevertheless, while AMLD4 was still being transposed, AMLD5 came into effect in mid-2018.

52

We carried out our assessment on a sample of three Member States and five of the 69 AMLD4 articles. We chose articles which were relevant to the EU banking sector and for which compliance issues were found in most Member States²⁰. We focused our assessment on the first two phases of the compliance checking process, i.e. notification and transposition checks, as most of the Commission’s conformity checks are still ongoing and not finalised yet. Our audit scope did not cover an assessment of the implementation of the legislation in the Member States. The Commission’s compliance checking process is explained in Figure 3.

The Commission took useful action to encourage transposition

53

To help Member States, the Commission provides compliance-promoting tools²¹. Between September 2015 and April 2016, i.e. in advance of the transposition deadline, the Commission organised five workshops for all Member States. Overall, we found that the workshops covered all crucial topics with regard to transposition of AMLD4. Our survey showed that 17 out of 20 Member States (85 %) found the Commission’s guidance useful²² and 70 % replied that workshops were a very useful method to support them²³ in their transposition work. One issue referred to by Member States was the fact that AMLD5 came into effect in mid-2018 while AMLD4 measures were still being transposed. This put pressure on administrative capacity to deliver transposing measures.

54

Despite this action by the Commission, before the transposition deadline, the Commission began infringement procedures for non-communication or incomplete communication²⁴ against all Member States between July 2017 and March 2019. One week later, only six Member States had declared complete transposition, seven Member States had declared partial transposition and 15 Member States had not notified any measures transposing AMLD4. However, our sample showed that some Member States had overstated the extent to which they had taken transposition measures. This contributes to a situation where, despite a desire at EU level for consistency, AML law is implemented unevenly at national level, increasing the vulnerability of the single market to ML/TF risk (see also paragraph 09).

The Commission’s use of a contractor had shortcomings

55

The Commission outsourced the compliance testing of AMLD4 to an external contractor who was to carry out transposition and conformity checks on all national transposition measures and for all 28 Member States. The internal guideline²⁵ requires the Commission to review the external contractor’s reports. Our audit work confirmed that these internal guidelines were adhered to.

56

There was no contingency in the contract for follow-up procedures, so when the contract ended the full burden of assessing the transposition for all 28 Member States fell to Commission staff. This is particularly relevant for AMLD4, where the majority of Member States declared either partial or no transposition by the agreed deadline, and several Member States notified a high number of transposing measures, in some cases over four years (between 2016 and 2020).

57

In practice, the Commission was only able to act rapidly to start an infringement procedure when a Member State declared neither complete nor partial transposition. In our sample, one Member State did this. The Commission sent a letter of formal notice (LFN) to the Member State a month after the deadline passed in June 2017.

58

In our sampled cases, the Commission took a minimum of 20 months and a maximum of 40 months to finalise the overall transposition checks including the infringement procedures on AMLD4 (see Table 4)²⁶. This is significantly longer than the objective in the Commission’s own guideline²⁷. A contributory reason was the length of time the Member States took to transpose and notify AMLD4, as well as the incompleteness of the transposing measures. In addition, conformity checks can only start once the transposition checks (including a possible infringement procedure for completeness issues) have been completed²⁸, which can slow down the process. There was a wide range of measures notified across Member States, over a period of between two and five years (see Figure 4).

59

For the compliance checks (see paragraph 52), our review showed that the quality of the Commission’s documentation after the external contractor had finished its work varied significantly from country to country. For one of the sampled countries the Commission could not provide records of structured follow-up by its staff. With the exception of the template for compliance checks, the relevant Commission unit did not have unit-level guidelines in place and staff turnover was high. The Commission did not have a strategy in place to ensure institutional memory on what remains a specialist topic. This is despite EU AML/CFT legislation being on its fifth iteration.

Many Member States did not cooperate fully with the Commission

60

AMLD4 is a complex directive that in most of the Member States is not transposed in a single piece of legislation but requires the adoption or modification of different pieces of legislation. 19 out of 20 Member States (95 %) replying to our survey agreed that the biggest challenge to transposing AMLD4 was the complexity of legislation, while 60 % mentioned human resources as a challenge. One of our sampled Member States notified its 64 measures in five stages: three measures were notified before the deadline passed, 10 measures after the deadline in 2017, 16 measures in 2018, 34 measures in 2019, and one measure in 2020. This example shows how complex the transposition process was in certain Member States, often involving several ministries³¹.

61

Member States were required to provide the Commission with explanatory documents including transposition tables³². Our sample showed that Member States did not always do so and some even explicitly refused. Our audit found that not all Member States notified their national transposition measures via the database designed for the purpose either, which hampered the assessment of the transposition of AMLD4. Together, this increased the Commission’s workload.

62

By way of context, in 2019, the CJEU concluded³³ that the burden of proof is on the Member States to provide sufficiently clear and precise information on the measures transposing a directive. However, the transposition of AMLD4 largely pre-dated the above-mentioned judgments.

The Commission’s management of the process lacked resources

63

DG FISMA’s unit responsible for AML/CFT oversight currently consists of 17 full time equivalent (FTE) staff, having expanded in recent years. It is also responsible for AML/CFT law making, case handling, BUL requests to the EBA, the preparation of third country lists, and the SNRA.

64

For the years 2017-2019, the unit had a limited number of staff who generally had a broad range of responsibilities. Our own calculations suggest that one desk officer was in some cases responsible for four to six Member States, and staff turnover was high.

65

The lack of human resources contributed to the delays compared with the Commission’s own guidelines as set out in previous paragraphs. For some Member States, the Commission did not have staff with the relevant language skills for check transposition, and therefore it was particularly reliant on translations that added time.

66

Overall, the Commission’s assessment of AML/CFT legislation lacked effectiveness. This was related to several factors, such as the complexity of the legislation, uneven action taken by Member States, and lack of resources given to AML/CFT tasks at the Commission. In addition, the reliance on directives meant a slow and uneven implementation of EU AML/CFT law.

The Commission and EBA did not use their 'breach of Union law' powers effectively

67

A key condition for the smooth functioning of the internal market is for EU law relating to money laundering to be implemented consistently throughout the Union. The legislative basis (for simplicity “the EBA Regulation”³⁴) gives the EBA the power to investigate a potential breach of Union law (BUL) relating to AML/CFT legislation at Member State level. This could involve inadequate supervision allowing large volumes of ML/TF to take place in a bank.

68

The EBA has had BUL powers since its creation in 2010. The procedure for a breach of Union law investigation is set out in the EBA Regulation and also the EBA’s own rules of procedure. Annex V sets out the process, timeline, and key stakeholders involved.

69

These investigations can be carried out at the EBA’s own initiative or on referral from a number of other bodies, including the Commission. Therefore the whole process, including referral from the Commission to the EBA is relevant to an assessment of the efficiency and effectiveness of how a potential breach of Union law is dealt with. It is also relevant as the Commission has the overall responsibility at Union level for the correct application of EU law (see also paragraph 51). Specifically, we examined whether the Commission acts effectively when faced with potential breaches of EU AML/CFT law, and whether the EBA investigates them in an effective and timely manner. We explored whether the Commission uses its powers in regard to potential breaches of EU AML/CFT law, in particular its (internal) procedures, to request the EBA to investigate an alleged breach or non-application of Union law³⁵.Furthermore, we assessed whether the EBA investigates potential breaches of Union law in line with its powers under the EBA Regulation.

70

Since 2015 the EBA has received 48 cases in total from several sources, relating to different types of law, such as prudential supervision. It has never opened an own-initiative investigation relating to ML/TF. Nine of these 48 cases related to ML/TF, and of these nine we examined the four requests by the Commission to the EBA concerning ML/TF-related breaches of Union law between 2016 and 2019, in order to examine co-ordination between the two.

The Commission’s approach to BUL requests was ad hoc

71

The Commission has no internal guidance for triggering a request to the EBA for an investigation. The Commission made the requests on an ad hoc basis and, in most cases, they followed within days of media reports of an AML/CFT-related issue in a Member State. There was no formal consultation between different services of the Commission.

72

In three of the four cases examined the Commission asked the EBA to ensure that a specific financial institution satisfied the requirements in Article 1(2) of the EBA Regulation and to investigate a possible breach or non-application of Union law. This was despite the fact that the EBA’s legal powers then in force related to the activity of the national supervisors, and not directly to the activity of financial institutions.

73

This lack of internal consultation and mis-characterisation of the EBA’s powers suggests that the Commission’s approach was ad hoc.

There were excessive delays in EBA action on BUL allegations

74

Of the four requests from the Commission, the EBA decided to not investigate two of them, but only after considerable delay. In one case, the EBA took action to gather evidence promptly but then took no further action for over a year. In the other, it took no action to gather evidence at all. The EBA’s formal response to the Commission was a letter that came after 13 months in one case and 26 months in another. It concluded that there was no substantial prospect of the EBA proceeding to a BUL investigation in light of the decision in a preceding case (see paragraphs 78-79).

75

There was no clear rationale for this delay in the EBA documents we examined. Such a delay is not consistent with the principles of good administration or mutual co-operation between EU bodies and institutions. The effectiveness of the BUL process is also limited, as the requests did not produce a result (either an investigation or a decision not to investigate) for an excessive length of time. This meant that during this time the Commission had a reduced ability to take action relating to these cases.

76

In the two other cases, the EBA initiated an investigation that in both cases led to a draft recommendation concerning a breach of Union law being submitted to the EBA’s Board of Supervisors (BoS). In both cases, we found that the EBA staff carried out a comprehensive investigation of the issue under consideration, following the internal rules. In one case the BoS decided there had been a breach of Union law but not in the other.

High-level EBA decision-making was influenced by national interests

77

In the first of the two cases that were investigated, the BoS found within the two-month legal time frame that a breach of Union law had occurred and issued the recommendation to the national supervisor concerned. It promptly informed the EBA of the steps being taken. In line with its powers, and after consulting the EBA, the Commission decided that these steps were neither adequate nor appropriate to ensure compliance with Union law. The Commission then issued an opinion to the relevant national supervisor on necessary actions. On the whole, we found evidence in this first case of efficient and effective co-operation between the EBA and the Commission in carrying out their respective roles under the EBA Regulation.

78

In the second case, the EBA completed the BUL investigation within the two-month legal period. The investigation involves the convening of a panel, which comprises the EBA Chair and six other BoS members from Member States whose authorities are not concerned by the investigation. In this case, the panel considered a draft recommendation for a BUL, which was then sent to the full BoS for its consideration. We found written evidence of attempts to lobby panel members during the period when the panel was deliberating on a potential recommendation to the BoS. In the end the BoS rejected the draft recommendation.

79

With regard to the standards in place concerning this kind of lobbying, all BoS members are subject to the provisions of Article 42 of the EBA Regulation which obliges them to “neither seek nor take instructions from any government of a Member State or from any other public or private body.” Likewise, in the same article, Member States or other public bodies such as national supervisors are prohibited from seeking “to influence the members of the Board of Supervisors in the performance of their tasks”. While the EBA has detailed Rules of Procedure for a BUL investigation, these contain no specific guidance on whether panel members should accept approaches from other BoS members, or whether these other BoS members may attempt to lobby panel members.

80

The Commission was not present for the discussion of this matter due to its non-voting status, and was only formally informed of the decision and its rationale ten days after the BoS meeting. Later that year, the Commission concluded that this case raised ”questions for the future, including on how to ensure that supervisors can be held accountable for their actions to ensure financial institutions’ compliance with Union law, especially when working with minimum harmonisation Directives”³⁶.

81

As long ago as 2014 the Commission concluded that the EBA’s governance allows it to take decisions, at times, that are more geared towards national rather than broader EU interests³⁷. Our own report on the EBA stress tests (SR 10/2019) concluded that the dominant role of national authorities meant that the EU perspective was insufficiently taken into account³⁸. The incidence of lobbying outlined above is further evidence that national supervisors are too dominant within the EBA's governance framework.

82

A new EBA regulation came into effect on 1 January 2020, and provides for some changes to the BUL procedure in general, and in relation to AML/CFT. However, the key governance shortcomings at the EBA outlined in the previous paragraphs remain.

Information sharing between the Commission and the EBA has not been formalised

83

In each of the two BUL cases the EBA investigated, it took a very different approach to sharing documents with the Commission, which is a non-voting member of the BoS.

84

In the first case (see paragraph 77) it shared the draft recommendation with the Commission BoS representative. In the second case (see paragraphs 78-79) the EBA refused to share any documents with the Commission at all in advance of the BoS meeting based on professional secrecy considerations in its founding regulation. It eventually provided the draft recommendation to the Commission a month after the decision had been taken.

85

We also found that there is no formalised exchange between the EBA and the Commission after the Commission sends the EBA a request for a potential breach of Union law procedure, but rather informal contacts. Although the EBA Regulation then in force did not require it, a formalised regular exchange between the two parties would have enhanced clarity and the traceability of the steps that the EBA intended to take following such a request from the Commission and would have allowed the Commission to express its expectations in terms of deadlines and priorities when it was addressing several BUL requests to the EBA in parallel.

86

Overall, the BUL process lacks effectiveness. The Commission has an ad hoc approach to making requests, and the EBA Board of Supervisors (despite efficient preparation by staff) is not oriented toward the EU interest when using its BUL powers.

The ECB has started to integrate ML/TF risks into prudential supervision but, despite improvements, information-sharing is not fully efficient

87

In late 2014, the ECB assumed responsibility for the prudential supervision of credit institutions (for simplicity “banks”) within the Banking Union³⁹, in practice it means direct supervision of about 120 banks or banking groups in the euro area.

88

Prudential and AML/CFT supervision have different objectives and approaches. Risks arising from ML/TF and prudential concerns can overlap and there are complementarities between the two types of supervision. For example, a business model reliant on ML/TF could increase the risk of bank failure. Or the presence of ML/TF could be indicative of otherwise poor risk management which is prudentially relevant.

89

The new ECB supervisory powers conferred in 2013 specifically excluded it from taking responsibility for the prevention of the use of the financial system for the purpose of ML/TF⁴⁰; these powers were left with the national authorities responsible for ML/TF supervision (for simplicity “national AML/CFT supervisors”). The recitals of the SSM Regulation indicated that the ECB should co-operate fully with these national AML/CFT supervisors⁴¹. To overcome subsequent legal uncertainty⁴² around this cooperation, legislation to facilitate specific co-operation came into effect in 2018⁴³ and 2019⁴⁴.

90

In the Member States, national ML/TF supervisors are usually part of the same public body that carries out prudential supervision of banks. In general, the Member States we spoke to pointed to the potential synergies of such an approach within their national frameworks.

91

The Single Supervisory Mechanism (SSM) was set up in 2014, but our audit emphasis is on developments from 2018 until June 2020. Our focus was to examine whether the ECB made efficient use of identified ML/TF risk factors in its prudential supervision.

92

We also checked whether there was an appropriate framework in place to facilitate efficient information exchange between the ECB and the national supervisors. We assessed whether there was a robust methodology in place for efficiently integrating prudential implications of ML/FT risks in the ECB’s ongoing prudential supervision, namely in the context of the Supervisory Review and Evaluation Process (SREP).

93

We reviewed the applicable EBA SREP guidelines, the ECB’s supervisory manual, the internal controls within the ECB and related statistical information. We also examined their implementation by reference to a sample of 12 banks⁴⁵ directly supervised by the ECB. In doing so, we focused on the last two finalised SREP cycles of 2018 and 2019. We drew our sample on a risk basis focusing on banks where the ECB had most communication with national supervisors, while also ensuring geographical spread.

Despite improvements, sharing of information between national supervisors and ECB is not fully efficient

94

Based on our interviews with ECB staff, prior to 2019 interaction between the ECB and national AML/ CFT supervisors occurred on an informal basis through ongoing supervision, although not necessarily on a consistent and structured basis. We saw no evidence of this, as the SREP cycles we assessed did not cover that period.

95

In addition, the vast majority of national prudential supervisors also have an AML/CFT supervision mandate (see Figure 5), known as “integrated supervisors”. The extent of sharing information within these supervisors varies, due to factors such as organisational structure and the national legislation. In some cases it was not shared internally, which highlights the role the ECB can play in facilitating information exchange.

96

In early 2019, the ECB and the national supervisors signed an agreement on the practical arrangements for information exchange (the “AML Agreement”)⁴⁶. This AML Agreement defined in general terms the information that has to be exchanged from both sides, including the procedures to be followed based on requests or 'own initiative' exchanges. See Annex VII for more details.

97

To facilitate the use of the AML Agreement, at the end of 2018 the ECB set up a horizontal co-ordination function within the SSM resourced with six FTEs, to act as a central point of contact between national supervisors and line supervisors within the ECB.

98

From the operationalisation of the AML Agreement in January 2019 until November 2019, in the context of the annual regular cycle the ECB did not receive AML/CFT supervisory information from national supervisors for any significant institution. Furthermore, there was no information exchange between the ECB and the national supervisors under the AML Agreement in this period in relation to approximately a third of the banks directly supervised by the ECB.

99

On the other hand, for the period from December 2019 until June 2020, in the context of the annual regular cycle, the ECB received 152 sets of information related to 110 banks. For more details of the information exchange for the 120 large banks directly supervised by the ECB, see Table 5.

100

The data in Table 5 and our audit work show that information exchange has become more frequent and consistent since the AML Agreement was put in place in early 2019, as regular exchanges between the ECB and AML/CFT authorities became more frequent from the first part of 2020.

101

The ECB established standard templates for requesting and transmitting AML/CFT-related information with the national supervisors both for regular exchanges and for ad hoc requests. The ECB also put a framework in place to provide information to AML/CFT authorities, such as supervisory measures relating to shortcomings in internal governance.

102

We found delays in some cases of up to six months in the transmission of information from the ECB to national supervisors, for example relating to the AML/CFT extracts from the SREP decisions, information from ECB’s offsite supervision, and information on suspicious non-performing loan transactions. While the AML agreement does not have clear deadlines, much of the delay originates from the multiple layers of management approval needed within the ECB⁴⁷. Its managers have very little delegated authority to share information. This may lead to a delay in the national supervisors taking action where necessary.

103

The material supplied by national supervisors (such as on-site inspection reports) varied in scope and quality, and was not always provided in a timely fashion. In some cases, the national supervisors shared the actual excerpts or even full onsite inspections reports with the ECB. For other banks, only summary material was provided.

104

The EBA is in the process of drawing up guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors and FIUs. The guidelines are expected to be issued for public consultation in the second quarter of 2021 and will provide clearer guidance.

National supervisors use different methodologies, and EBA guidance on supervisory assessments is not specific enough

105

In our sample of banks, we also found that the national supervisors use very different methodologies for their AML/CFT assessments, for example using different scales and criteria for scoring risk mainly due to the minimum harmonisation nature of the legal framework. This leads to an increased risk of inconsistent factoring by the ECB of prudential concerns related to ML/TF risks into prudential supervision of banks from different jurisdictions, although it is not within the ECB’s remit to challenge these scores or the risk methodologies. The EBA is currently consulting on changes to its existing guidelines for risk-based AML/CFT supervision.

106

An explicit reference to anti-money laundering was only included in the revised EBA SREP guidelines⁴⁸ in July 2018, although in general terms. The ECB’s own internal guidance was of a general nature as well.

107

An explicit legal basis for integrating ML/TF risk into prudential supervision only came into effect in June 2019 (see paragraph 89). This also needed transposition at Member State level.

108

After a request by the Council to produce relevant guidance, the EBA published two opinions. However, in the absence of a harmonised legal framework and detailed EBA guidelines, prudential supervisors in general, and the ECB in particular, do not have a full set of information and tools for consistently reflecting the prudential implications of ML/TF risks under the SREP.

109

The ECB updated its own Supervisory Manual in early 2020 in line with the EBA guidance in place. The supervisory practice is to update internal manuals when EBA guidance is in place on, for example, how AML/CFT related concerns and supervisory considerations may feed into the overall SREP score.

110

For the SREP 2018 and 2019 cycles, the ECB did not perform a consistency check to see how ML/FT concerns were factored into their SREP assessments, although this was done for the 2020 SREP cycle⁴⁹. For the banks in our sample however, we found evidence that the ECB factored ML/TF-related information into its SREP decisions in 2018 and 2019. For banks with identified ML/TF weaknesses, the ECB made recommendations to remedy the prudential deficiencies. In a minority of cases, the staff considered the information provided by the national supervisors, but assessed it to be non-material for prudential purposes. SREP decisions (or relevant parts) were sent both to the banks and to the national supervisors. The ECB is not responsible for checking the actions of the national supervisors for their core activities but simply for making them aware of such information.

111

Overall, the ECB has made a good start in integrating ML/TF risk into prudential supervision. More efficient decision-making by the ECB is needed, and forthcoming EBA guidance will need to be integrated by the ECB and national supervisors.

Conclusions and recommendations

112

Overall, we found that EU-level action in the fight against ML/TF has weaknesses. There is institutional fragmentation and poor co-ordination at EU level when it came to actions to prevent ML/TF and take action where risk was identified (see paragraphs 50 to 66). The EU bodies we audited have limited tools at present to ensure sufficient application of AML/CFT frameworks at national level (see paragraphs 67 to 86; 87-111). There is no single EU supervisor for ML/TF and the EU’s powers in relation to ML/TF are split between several bodies and co-ordination with Member States is carried out separately.

113

Currently, the EU’s main approach to protecting its banking sector from being used for ML/TF is by applying legal requirements that come mainly in the form of directives. Member States have the obligation to transpose the directives, and bear the main responsibility for tackling ML/TF through their national supervision frameworks. Member States are also responsible for enforcement. In effect, application of EU AML/CFT law differs from Member State to Member State.

114

In generating the 2019 third-country list the Commission made good use of intelligence (including from Europol) and it applied its methodology appropriately (paragraphs 31 to 37). The EEAS initially failed to provide the requested inputs to the Commission for generating the list, and communication with listed third countries was inconsistent (paragraph 28). Despite attempts by the Commission to generate an autonomous EU list, it has not yet managed to go beyond the FATF list so far, due to lack of approval from the Council (paragraphs 35 to 36).

115

The Commission’s risk assessment methodology does not prioritise ML/TF risks clearly in its SNRA, nor does it make clear when the risk assessment sectors change (paragraph 44). The Commission has not made rapid updates to the SNRA in line with its powers, and does not refer to the geographical dimension (paragraph 46). The Commission has not yet published statistics on ML/TF in line with its new legal obligations, making it difficult to assess the scale of ML/TF in the EU right now (paragraph 48).

Recommendation 1 – The Commission should improve its risk assessments

The Commission should:

1. use greater prioritisation of sectors based on risk throughout the whole supra-national risk assessment exercise: from planning to follow-up, specifying when and why they are changing; and carrying out updates for fast-moving sectors and adding a geographical dimension, where relevant;
2. implement the new methodology to generate an autonomous EU third-country list; working in liaison with the EEAS and Member States to ensure integration of intelligence, and early communication with listed third countries;
3. put in place tools to mitigate ML/TF risk from third countries at the level of the entity or sector.

Timeframe: by end-2021

116

AMLD transposition is complex, and in most cases, Member States were slow to transpose AMLD. In many cases their communication of transposition to the Commission was incomplete or late (paragraphs 60 to 62). Nonetheless, we identified occasions where the Commission’s assessment was slower than the Commission’s own internal guidelines suggest (paragraph 58). The Commission’s work on transposition assessment was understaffed (see paragraph 65), and reliance on outsourcing had limitations (paragraph 56). Taken together, these factors delayed the Commission’s ability to take measures in relation to the non-transposition.

117

This slow transposition contributed to an inconsistent legal framework across Member States (paragraph 58) and increased the risk of weak points being exploited by money launderers. Commission workshops were a useful tool to support Member State administrative capacity (paragraph 53). Despite this good quality guidance from the Commission, Member States took a long time to transpose the legislation and overstated the extent to which they had done so (see paragraph 54). Overall, it shows that for a complex area like AML/CFT legislation, a level playing field can be better achieved by use of regulations rather than directives.

Recommendation 2 – The Commission should ensure the consistent and immediate effect of AML/CFT legislation

The Commission should make use of a regulation over a directive to the extent possible.

Timeframe: by end-2021

118

When it comes to co-ordination, the Commission carries out little analysis of its own before initiating BUL requests to the EBA, relying mainly on public reports (paragraph 71).

119

In general, EBA staff carried out investigations into alleged ML/TF-related breaches of Union law in time and in line with internal guidance (paragraph 76). However, the EBA took an unreasonable amount of time to decide whether to investigate certain cases (paragraphs 74 and 75), and carried out no ML/TF investigations on its own initiative (paragraph 70). At the EBA, we found evidence of lobbying of members of a panel while it was considering a potential ML/TF-related breach of Union law. The EBA does not have specific rules in place to prevent lobbying of this kind (paragraphs 78 and 79). For BUL, the EBA’s decision-making process is not sufficiently EU-oriented, due to the influence of national supervisors in its decision-making process, and the closure of cases without investigation shows that the EBA is now reluctant to carry out ML/TF BUL investigations. As a result, the EBA has only made one positive finding of a breach of Union law related to ML/TF since its powers came into effect in 2010.

120

Taken together, this suggests that the breach of Union law mechanism is not contributing to the uniform application of AML/CFT law across the EU, putting at risk the integrity of the single market.

Recommendation 3 – The EBA and Commission should make better use of their BUL powers for ML/TF

The Commission should:

1. put in place directorate-general-level internal guidance for making ML/TF breach of Union law requests;
2. make use of information on cases when making use of its legal powers to ensure EU law is applied;
3. propose legislative amendments to provide legal clarity on what information should be shared with the Commission by the competent body for investigation of BUL complaints during the breach of Union law process.

The EBA should:

4. ensure that decisions to investigate or not to investigate are taken without undue delay when breach of Union law referrals are received;
5. put in place rules to prevent other BoS members from seeking to influence panel members during their deliberations.

Timeframe: by end-2021

121

In line with new obligations, the ECB has put in place a framework for integrating ML/TF-related information into prudential supervision, and is actively exchanging information relating to ML/TF risk with national supervisors. However, the efficiency with which information leaves the ECB is hampered by a cumbersome ECB decision-making process (paragraph 102). The ECB has neither the responsibility nor powers to investigate how the information that it sends outward is used by national supervisors. There is no EU-level AML/CFT supervisor so ultimately the national supervisors are responsible for monitoring compliance and taking action (paragraph 07).

122

National AML/CFT supervisors have begun to provide the ECB with bank reports that are prudentially relevant. However, these reports vary in scope due to national practices, and updated EBA guidance for AML/CFT supervisors is still being developed (paragraph 117). This reduces the ability of the ECB to incorporate them efficiently into its supervisory assessments (paragraphs 108 and 109). Based on our sample, we can conclude that the ECB is now integrating ML/TF risk into prudential supervision (paragraphs 110 and 111).

Recommendation 4 – EBA and ECB should work to better incorporate ML/TF risk into prudential supervision

The EBA should:

1. enhance its guidance for incorporation of ML/TF risk into prudential supervision;

Timeframe: By the end of the first quarter of 2022

2. finalise guidelines on the risk-based approach to AML/CFT supervision to provide for greater consistency in AML assessments of supervised entities;

Timeframe: By the end of 2021

3. specify in its guidelines on co-operation and information exchange the content of information to be shared, as well as timelines for doing so

Timeframe: By the end of 2021

The ECB should:

4. put an internal policy in place for more efficient sharing of ML/TF-related information with national supervisors;

Timeframe: by the end-of the first quarter of 2022

5. update its methodology for integrating ML/TF risk in prudential supervision once updated EBA guidelines are published.

Timeframe: by the end-of the second quarter of 2022

123

Given the high level of cross-border integration in the EU banking sector, the deficiencies in the current design and implementation of the EU AML/CFT framework (see paragraph 112) represent risks to financial market integrity and public trust. The forthcoming legislative reform (see paragraphs 13 to 15) is an opportunity for the Commission, the European Parliament and the Council to address the weaknesses identified (see paragraphs 36, 49, 66, and 86) and to remedy the fragmentation of the EU AML/CFT framework.

This Report was adopted by Chamber IV, headed by Mr Alex BRENNINKMEIJER, Member of the Court of Auditors, in Luxembourg at its meeting of 20 May 2021.

Annexes

Annex I – EU legal framework

Annex II – Comparison of AMLD4 and AMLD5

4th AML-Directive 2015/849	5th AML-Directive 2018/843
Published: 20 May 2015; Came into effect: 26 June 2017	Published: 19 June 2018; Came into effect: 10 January 2020
• Risk assessment at EU level (SNRA) and national risk assessment required • Beneficial Ownership • Home and host responsibilities for companies operating also in other Member States • FIUs powers strengthened • Simplifies due diligence • Gambling: extension to all gambling services • Altered and expanded definition of politically exposed persons (PEPs) • Suspicious Activity Reports • Record keeping can be extended up to 10 years • Cash payments threshold to trigger AML checks lowered to €10 000	• Improve the work of FIUs with better access to information through centralised bank account registers • Improve cooperation between anti-money laundering supervisors and the ECB • Reinforcement of EBA’s supervisory role • Broaden the criteria for assessing high-risk third countries and ensure a common high level of safeguards for financial flows from such countries • Lifting the anonymity on prepaid cards • Interconnection of the beneficial ownership registers at EU level • Politically exposed persons (PEP) list • Increase transparency about companies’ and trusts’ ownership • New cryptocurrency rules

Annex III – Different EU listing processes

	Non-cooperative tax jurisdictions	Restrictive measures (sanctions)	AML third-country List
List	• List of non-cooperative tax jurisdictions for tax purposes;	• List of autonomous EU sanctions including measures agreed by the UN Security Council (to implement UN Security Council Resolutions)	• High-risk third countries with strategic deficiencies in their regime on anti-money laundering and counter terrorist financing
EU objectives	➢ To improve tax good governance globally (overall goal); ➢ To ensure that the EU's international partners respect the same standards as EU Member States; ➢ To encourage positive change tax legislation and practices, through cooperation; ➢ To fight against tax fraud and evasion, tax avoidance, and money laundering; tool for securing a level playing field. ➢ To put pressure on tax havens to apply rules and standards to achieve transparency, fair tax competition and the implementation of international standards against tax base erosion/profit shifting.	➢ Tool of EU's common foreign and security policy (CFSP), through which the EU can intervene where necessary to prevent conflict or respond to emerging or current crises. ➢ To bring about a change in policy or activity. ➢ To implement UN Security Council Resolutions or to further the objectives of the CFSP, namely promoting international peace/security, preventing conflicts, supporting democracy, the rule of law, human rights and, defending the principles of international law. ➢ To support the fight against terrorism and the proliferation of weapons of mass destruction	➢ A defensive policy designed to protect the integrity of the internal market from third-country jurisdictions which pose significant threats to the financial system of the Union.
Shortlisting	➢ Selection phase: Member States are selected based on a neutral scoreboard of indicators. ➢ Screening phase: work of the Global Forum on Transparency and Exchange of Information for Tax Purposes and OECD Inclusive Framework for Tackling Base Erosion and Profit Shifting is considered. Overall assessment criteria: compliance with several OECD Standards.	➢ Some sanction regimes are mandated by the UN Security Council, others are adopted autonomously by the EU based on information from EEAS, Member States, EU delegations and EU Commission. ➢ Restrictive measures must always be in accordance with international law, respect human rights/fundamental freedoms, in particular due process and the right to an effective remedy.	➢ The Commission takes information from the FATF and other FATF-style regional bodies into account, includes a stock-take of other relevant information in the public domain, and considers private information that is available to other EU bodies (e.g. Europol, EEAS).
Main role of EU institutions	➢ List is based on a Commission communication on an external strategy for effective taxation presented in the 2016 anti-tax-avoidance package; EU Commission is in charge of producing a neutral scoreboard of indicators. ➢ The Council of the EU (Code of Conduct Group on Business Taxation): has to screen and list the countries; finally adopts/revises the list.	➢ The Council of the EU: adoption (regulation), renewal, or lifting of sanctions regimes, on the basis of proposals from the High Representative of the Union for Foreign Affairs and Security Policy. ➢ European Commission • to prepare proposals for regulations on sanctions for adoption by the Council; • to represent the Commission in sanctions-related discussions with Member States at the Council Working Party of Foreign Relations Counsellors; • to transpose certain UN sanctions into EU law; • to monitor the implementation/enforcement of EU sanctions across Member States; • to support Member States in their efforts to apply sanctions; • to enhance the resilience of the EU to extra-territorial sanctions adopted by third countries. ➢ EEAS: in charge of preparing and reviewing sanction regimes in cooperation with Member States, relevant EU delegations and the EU Commission.	➢ The Commission is legally obliged to identify countries outside the EU that have shortcomings in their national AML framework which pose a risk to the EU’s financial system. It makes use of rankings found in the Commission’s own 2016 “Tax Scoreboard” which ranks countries on economic connectedness with EU, relative size of financial sector, and corruption. ➢ The Commission adopts the list of high-risk third countries by way of a “Delegated Act”: obligation to consult the EGMLTF and also the European Parliament before adoption. ➢ The list is proposed by the EU Commission, the Parliament or the Council may reject this proposal within 30 days.
Renewal	➢ At least once a year; from 2020, twice a year.	➢ EU autonomous provisions are reviewed at least once every 12 months. The Council can decide at any time to amend, extend or temporarily suspend them.	➢ At least once a year, but can be more frequent.
Target	➢ Only jurisdictions outside the EU can be listed; ➢ Jurisdictions which are EU overseas countries and territories (but not part of the EU themselves) can also be listed.	➢ Governments of non-EU countries (because of their policies; ➢ Companies (providing the means to conduct the targeted policies); ➢ Groups or organisations (such as terrorist groups); ➢ Individuals (supporting the targeted policies, involved in terrorist activities, etc.); ➢ Sanctions have an effect in non-EU countries, but the measures apply only within EU jurisdiction; the obligations they impose are binding on EU nationals or persons located in the EU or doing business here.	➢ Non-EEA countries and territories. These can in principle include EU overseas countries and territories which are not part of the EU themselves.
Impact	➢ EU defensive measures in non-tax areas: • EU institutions/Member States must take the EU list into account in: foreign policy, development cooperation, and economic relations with third countries; • EU Commission should consider it in the implementation of EU financing and investment operations, inter alia, the EFSI and EFSD. ➢ EU defensive measures in tax areas	➢ The EU has over forty different sanction regimes in place. Depending on the sanction scheme, it can lead to an arms embargo, a restriction on admission (travel bans), an asset freeze, or other economic measures such as restrictions on imports and exports.	➢ This has an impact on a firm within the EU doing business with a person or firm in a listed country. Obliged entities within the EU (such as a bank) have to carry out enhanced customer due diligence when dealing with a listed third country. This is a step up from normal due diligence and may include greater checks on identity of a customer, beneficial ownership and/or source of funds.

Annex IV – EU and US

FATF recommendation		How the EU does it	Level	How the US does it	Level
1	Assessing risks & applying a risk-based approach	The EU publishes a supra-national risk assessment every two years. The EBA also publishes sectoral risk assessments on occasion. Member States must also publish their own risk assessments. Supervisors and obliged entities are expected to take this into account when carrying out their activities.	MS and EU-level	Multi agency cooperation to assess risks with annual or bi annual updates: the U.S. maintains a substantial number of complementary processes to identify and assess ML/TF risks which generate a wide variety of outputs. Risk assessments to support the President’s national security strategies are prepared by relevant government agencies with participation from intelligence, law enforcement, and policy agencies involved in AML/CFT, including FinCEN which contributes ML/TF risks and trends identified from the reporting regime.	Federal
9	Financial institution secrecy laws	Member States must put in place laws to ensure that information can be shared with revenue authorities and law enforcement. Under AMLD supervisors must have the power to compel the production of any information that is relevant to monitoring compliance.	MS-level	The Right to Financial Privacy Act (RFPA) (12 USC 3401-22.) governs how US Federal agencies obtain information from FIs and under what circumstances they may disclose it. It puts certain safeguards in place before banks can disclose customer information to law enforcement or supervisory authorities.	Federal
10-11	Customer due diligence and record keeping	Banks in the EU are prohibited from keeping anonymous accounts and are obliged to carry out customer due diligence on new and existing business. They are obliged to keep records for a given period of time and supply them to supervisors (if requested).	MS-level	Keeping anonymous accounts or accounts in obviously fictitious names is not expressly prohibited. However, banks are required to implement risk-based procedures for verifying the identity of each customer to enable a bank to form a reasonable belief that it knows the customer’s true identity. Banks are not explicitly required to identify and verify the identity of persons authorised to act on behalf of customers. Banks are generally obliged to keep records for at least five years.	State
12-16	Additional measures for specific customers and activities	Measures relating to PEPs and correspondent banking are dealt with at Member State level. Money, value, and wire transfers have some obligations based on directly applicable EU law, such as the Wire Transfer Regulation (Regulation 2015/847).	MS and EU-level	Regarding correspondent banking , each concerned bank is required to establish appropriate, specific policies, procedures, and controls that are reasonably designed to detect and report instances of ML through those accounts. As regards money value, wire, and transfer service providers, both formal and informal, are subject to BSA requirements including registration with FinCEN.
17-19	Reliance, Controls and Financial Groups	Member States may allow obliged entities to rely on third parties to provide due diligence subject to certain standards. Standards exist for AML controls for cross-border banks, and national supervisors are expected to co-operate in colleges. For high-risk third countries, the EU adopts a list and supervised entities are expected to put in place enhanced due diligence for dealings with these high-risk third countries.	MS and EU-level	Covered FIs are required to establish AML programs, including, at a minimum: a) developing internal policies, procedures and controls; b) designating a compliance officer sufficiently senior to assure compliance with all obligations under the BSA; c) have an ongoing employee training programme; and d) have an independent compliance function to test programmes. As regards high-risk countries, FIs are required to apply enhanced due diligence to correspondent accounts established or maintained in the U.S. for certain categories of foreign banks. This list is adopted by FinCEN at federal level.	State
20-21	Reporting of suspicious transactions	Obliged entities in the EU Member States are obliged to report suspicious activities or transactions to the national financial intelligence unit (FIU). These FIUs have a platform to share intelligence at EU level (FIU.net). Europol, the EU police agency, also collects and disseminates intelligence on patterns of money laundering activity.	MS and EU-level	The US requires reporting of suspicious transactions by Covered FIs. FIs are directed to report to law enforcement immediately violations requiring immediate attention, such as ongoing ML schemes and terrorist activity. Unless required to be reported immediately, reports of suspicious transactions must be filed with FinCEN.	State
24-25	Transparency and beneficial ownership of legal persons and arrangements	EU AML legislation obliges Member States to put in place registers of beneficial ownership information in central registries that must be connected. Sanctions must also be put in place for those who fail to comply. However, there is no common EU-level register for beneficial ownership and information.	MS-level	The formation of US legal entities is governed by State law. Each of the 56 States, territories and the District of Columbia has its own laws for the formation and governance of legal entities. Federal law also applies to them, once formed, in certain areas (e.g. criminal law, securities regulation, taxation). In 2016 the US was assessed by FATF as having deficiencies in coordination in this area, specifically as adequate, accurate and timely information on the beneficial ownership and control of legal persons could not always be obtained or accessed in a timely fashion by competent authorities.	State
26-28	Regulation and Supervision	The governing legislation is set at EU level and is mainly in the form of a directive. This outlines obligations for certain EU bodies such as the Commission and the EBA. Member States must also transpose certain requirements into national legislation. Each Member State must have a money laundering supervisor or supervisors for obliged entities within its jurisdiction. In practice, regulatory technical standards are set at EU level and banks and national supervisors are expected to comply. EU-level oversight comes in the form of the power of the Commission to issue infringement proceedings when a Member State fails to put legislation into place. Also, the EBA can investigate and make recommendations if a potential breach of Union money laundering law has been identified.	MS and EU-level	Due to the international nature of both the financial system and serious crime and terrorism, the Federal Government has taken the primary role in law making and enforcement in the areas of money laundering (ML) and terrorist financing (TF). State laws can be pre-empted when Congress explicitly includes a pre-emption clause, when a State law conflicts with a Federal law, and when the States are precluded from regulating conduct in a field that Congress has determined must be regulated exclusively by Federal authorities. Federal regulators (OCC, Federal Reserve, FDIC,NCUA,...) have delegated examination and enforcement authority from FinCen. The legal base is the BSA from 1970 and Bank Secrecy Act Implementation; strengthened by the USA Patriot Act from 2001. The U.S. AML/CFT system has a strong law enforcement focus. All LEAs (Federal, State, local) have direct access to SARs filed with FinCEN. A particularly strong feature is the inter-agency task force approach, which integrates authorities from all levels (Federal, State, local). This approach is widely used to conduct ML/TF and predicate investigations, and has proven very successful in significant, large and complex cases.	Federal & State
33	Statistics	The EU legal framework obliges Member States to collect statistics on ML, and for them to submit them to Eurostat, the EU's statistical office. Eurostat is then obliged to report these statistics, but the legal obligation is only just coming into force. In the mean time, there is little systematic quantitive data on volumes of money laundering and terrorist financing.	MS and EU-level	The US maintains comprehensive statistics except on the investigations, prosecutions and convictions related to the State ML offenses, or statistics on the property frozen, seized and confiscated at the State level.	Federal & State
35	Sanctions	Member States are obliged to empower and resource money laundering supervisory authorities to take sanctions when breaches of supervisory rules are detected. In practice, the nature and severity of sanctions vary by jurisdiction.	MS-level	A range of proportionate and dissuasive criminal, civil and administrative sanctions are available, ranging from disciplinary letters to fines and imprisonment. FinCEN may bring an enforcement action for BSA violations. It has sole Federal enforcement authority over FIs and covered DNFBPs. Besides CMPs, FinCEN can take other formal and informal administrative actions. Other agencies (such as SEC) are also empowered under their respective Act for taking a range of supervisory actions.	Federal

Source: ECA summary, based on various FATF, FinCEN, Commission, and EBA documentation.

Annex V – Steps in the BUL process

Phase	Process	Stakeholder	Timeline
Request	Article 17 of Regulation 1093/2010 (The EBA Founding Regulation) Article 17 provides for the possibility of the EBA to investigate alleged breaches or non application of Union law, on its own initiative or at the request of certain bodies, to make a breach of Union law investigation of certain bodies. The EBA Regulation does not lay down how and when, i.e. none of these bodies (including the Commission) has any legal obligation concerning how or when it should make a request to the EBA.	A request must be made to the EBA by one or more competent authorities, the European Parliament, the Council, the Commission or the Banking Stakeholder Group.	A request can be made at any time and the EBA does not have a specific legal obligation to respond within any length of time.
Preliminary Enquiry	A preliminary assessment of the alleged BUL.	The EBA carries out preliminary enquiries, including communication with competent authorities, in order to establish the facts concerning the alleged BUL.	There is no specific legal time limit for this period.
Investigation	The formal process to decide whether a BUL has occurred.	The EBA Chair decides whether to start a BUL investigation or not. The EBA’s Rules of Procedure provide for the convening of a Panel consisting of the Chair and six Board of Supervisors (BoS) members who are not concerned by the investigation. The Panel decides either: to close the investigation without adopting a recommendation or, if a BUL is established, to make a recommendation to the BoS for a BUL.	The EBA may address a recommendation to the competent authority concerned setting out the action necessary to comply with Union law no later than two months from initiating its investigation.
Recommendation	The BoS concludes that there is breach of Union law and addresses a recommendation to the competent authority concerned.	The decision to adopt a recommendation is taken by the EBA’s Board of Supervisors, comprised of supervisors from 27 competent authorities.	The decision concerning adoption of a recommendation must be taken within two months of inititation of the investigation (see previous point).
Communication	Addressing the recommendation to the national competent authority (NCA)	The recommendation sets out the action necessary to comply with Union law.	The NCA must respond within ten days.
Opinion	Where the competent authority has not complied, the Commission may issue a formal opinion to the NCA.	The Commission may act, after having been informed by the EBA, or on its own initative.	The Commission may issue such a formal opinion no later than three months after the adoption of the recommendation, and may extent this by one month.

Source: EBA Regulation, EBA Rules of Procedure.

Annex VI – Transposition checks

Transposition deadline	26 June 2017
Member state notifications submitted by the deadline or before the launch of non-communication infringements	6
Number of Member States that had not notified complete transposition at the time of this audit (July 2020)	8
Number of non-communication and non-completeness infringement proceedings initiated	28
Overall duration of infringement proceedings on completeness (months)52	More than 36 (ongoing)53

Source: ECA analysis of Commission analysis.

Annex VII – Types of exchange of information at the ECB

Categories	Exchanges in context of annual regular exchange of information (sent and received)	Ad hoc exchanges on own initiative (Sent and received)	Exchanges based on ad hoc requests (sent and received)
Information shared	Annual sharing of excerpts SREP decisions by the ECB with AML/CFT authorities (shared on own initiative) ML/TF risk scores and assessments; OSI reports and sanctions (annual requests send by the ECB to AML/CFT authorities)	Other relevant information stemming from supervision of both functions	Other relevant information stemming from supervision of both functions

Source: ECA based on information submitted by the ECB.

Acronyms and abbreviations

AML: Anti-money laundering

AMLD: Anti-money laundering Directive

BCBS: Basel Committee on Banking Supervision

BOS: Board of Supervisors

BUL: Breach of Union law

CFT: Combatting the financing of terrorism

CRD: Capital requirements directive

EBA: European Banking Authority

ECB: European Central Bank

EEAS: European External Action Service

EGMLTF: Expert Group on Anti-money Laundering and Counter Terrorist Financing

EIOPA: European Insurance and Occupational Pensions Authority

ESMA: European Securities and Markets Authority

FATF: Financial Action Task Force

FTE: Full-time equivalent

FINCen: Financial Crimes Enforcement Network

FIU: Financial intelligence unit

GDP: Gross domestic product

LFN: Letter of formal notice

MER: Mutual evaluation report

ML/TF: Money laundering and terrorist financing

SNRA: Supra-national risk assessment

SSM: Single supervisory mechanism

Glossary

AML supervisor: Public authority in the Member State tasked with the supervising the AML/CFT regime, examination of obliged entities for adherence to the jurisdiction's AML regime, imposition of fines for non-compliance.

Anti-money-laundering Directive: EU legislation and the main legal instrument for the prevention of the use of the Union financial system for the purposes of money laundering and terrorist financing; First Directive – from 1990 and subsequent iterations until the Fifth Directive -from 2018.

Basel Committee on Banking Supervision (BCBS): Primary global standard setter for the prudential regulation of banks and a forum for regular cooperation on banking supervisory matters.

Combating the Financing of Terrorism (CFT): Effective anti-money laundering and combating the financing of terrorism regimes are essential to protect the integrity of markets and of the global financial framework as they help mitigate the factors that facilitate financial abuse.

Conformity check: A check that the relevant provisions of an EU directive have been accurately reflected in national implementing measures.

Court of Justice of the European Union (CJEU): The Court of Justice interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.

Credit institution: Undertaking, such as a bank, whose business is to receive deposits or other repayable funds from the public and to grant loans.

Delegated act: A legally binding act used by the Commission, if Parliament and the Council express no objection, to supplement or amend non‑essential parts of EU legislation, for example by giving details of implementing measures.

DG FISMA: European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union; co-ordinating DG for AML at the Commission.

European Banking Authority (EBA): An EU agency established in 2011; One of the three European Supervisory Authorities and the main regulator in the area of banking regulation and supervision, drafting of regulatory technical standards to be approved by the Commission; with powers to enforce AML standards.

European Central Bank (ECB): European Institution established with the Treaty of Amsterdam in 1998; direct prudential supervisor of large banks in the euro area via the Single Supervisory Mechanism since 2014.

European External Action Service (EEAS): The EEAS is the EU's diplomatic service. It aims to make EU foreign policy more coherent and effective, thus increasing Europe's global influence. It manages the EU's diplomatic relations with other countries outside the bloc and conducts EU foreign & security policy.

European Supervisory Authorities (ESAs): The ESAs are the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA). The ESAs work on harmonising financial supervision in the EU, and help to ensure the consistent application of the rulebook to create a level playing field. They are also mandated to assess risks and vulnerabilities in the financial sector.

Europol: European Union’s law enforcement agency which inter alia supports the MSs in their fight against money laundering and terrorism.

Financial Action Task Force (FATF): Inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. 39 Members including the European Commission and 14 Member States. Set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. A “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.

Financial Intelligence Unit (FIU): National competent authority, responsible for enforcing anti-money laundering legislation in the Member State. Responsible for collection, analysis and dissemination of the reporting submitted by obliged entities including with other EU MSs and third countries, and liaison with law enforcement if necessary.

Infringement procedure: According to Articles 258 to 260 of the Treaty on the Functioning of the European Union, the main enforcement mechanism enacted by the Commission against a Member State whenever it is of the opinion that the Member State is in breach of its obligations under EU law.

Letter of Formal Notice (LFN): If the EU country concerned fails to communicate measures that fully transpose the provisions of directives, or do not rectify the suspected violation of EU law, the Commission may initiate a formal infringement procedure. The infringement procedure starts with a letter of formal notice, by which the EU Commission allows the Member State to present its views regarding the breach observed.

Prudential supervision: Direct oversight of financial institutions (including banks) to ensure that they are not just complying with the regulations in a legalistic sense but are operating soundly and prudently in the spirit of the regulatory framework.

Reasoned Opinion (RO): If the EU country concerned fails to communicate measures that fully transpose the provisions of directives, or does not rectify the suspected violation of EU law, the Commission may initiate a formal infringement procedure. After the step of sending a LFN and the Commission concluded that the country is failing to fulfil its obligations under EU law, as a second step in the procedure, it may send a reasoned opinion: a formal request to comply with EU law.

Supervisory Review and Evaluation Process (SREP): The annual supervisory process for large banks in the euro area under direct supervision by the ECB. Gives supervisors a harmonised set of tools to examine a bank’s risk profile from four different angles – Business model, Governance and risk, Capital, Liquidity.

Third country: Third country means a country or territory other than one within the European Community.

Transposition check: An assessment of the compatibility of national implementing measures with a directive’s provisions.

Transposition of EU law: The procedure by which EU Member States incorporate EU directives into their national law in order to make their objectives, requirements and deadlines directly applicable.

Audit team

The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.

This performance audit was carried out by Audit Chamber IV Regulation of markets and competitive economy, headed by ECA Member Alex Brenninkmeijer. The audit was led by ECA Member Mihails Kozlovs, supported by Edite Dzalbe, Head of Private Office and Laura Graudina, Private Office Attaché; Zacharias Kolias, Principal Manager; Shane Enright, Head of Task; Giorgos Tsikkos, Helmut Kern, Marc Hertgen, Marion Schiefele, Katja Mravlak and Nadiya Sultan, Auditors; Andreea-Maria Feipel-Cosciug, Lawyer. Michael Pyper provided linguistic support.

Endnotes

¹ See Eurostat’s ‘Money laundering in Europe’ (2013).

² The EBA recently concluded that “the same breach by the same financial institution is therefore likely to trigger the imposition of different sanctions and measures, depending on which competent authority is responsible for taking enforcement action, or no sanctions or measures at all. ”EBA Report on European Commission’s call for advice on the future EU legal framework on AML/CFT”, September 2020, paragraph 88, p. 23.

³ This can lead to the failure of a bank.

⁴ In January 2020, DG FISMA took over AML/CFT responsibility from the Commission’s Directorate General for Justice and Consumers (DG JUST).

⁵ This has been highlighted by the Basel Institute of Governance in its Basel AML Index: Ranking money laundering and terrorist financing risks around the world (2020 edition, p. 4): “This poor performance is consistent with breaches of AML provisions in European banks over the last few years […] have raised alarm about the quality of banking and non-banking supervision related to AML/CFT.”

⁶ European Commission, “Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing, May 2020.

⁷ European Parliament, Resolution on a comprehensive Union policy on preventing money laundering and terrorist financing – the Commission’s Action Plan and other recent developments, July 2020.

⁸ Council of the EU, Council Conclusions on anti-money laundering and countering the financing of terrorism, November 2020.

⁹ FATF Recommendations 2012, as amended June 2019.

¹⁰ Basel Committee on Banking Supervision, “Introduction of guidelines on interaction and cooperation between prudential and AML/CFT supervision”, and “Core Principles for Effective Banking Supervision”.

¹¹ Under EU Directives 2015/849 (“AMLD4”) and 2018/843 (“AMLD5”), Article 9.

¹² Treaty on the Functioning of the European Union, Article 290.

¹³ The term “third country” refers to jurisdictions (countries and territories) outside the EU.

¹⁴ Commission, “Methodology for identifying high risk third countries under Directive (EU) 2015/849”.

¹⁵ Scale from 1 (low significance) to 4 (high significance).

¹⁶ Commission, “Report on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities” section 4 – Recommendations.

¹⁷ AMLD5, Article 6(2)(b) and AMLD5, Article 44; these obligations refer to the Commission, which may include the responsibilities of Eurostat and/or other DGs such as FISMA.

¹⁸ These are Commission powers under TFEU Articles 258 and 260.

¹⁹ This is the Commission’s responsibility under TEU Article 17.

²⁰ Article 13 on customer due diligence measures; Article 18 on enhanced customer due diligence; Article 30 on beneficial ownership information and central register; Article 45 on the additional measures in case of the application of the third country law and Article 50 on cooperation with ESAs.

²¹ For more background see ECA review 07/2018”Putting EU law into practice: The European Commission’s oversight responsibilities under Article 17(1) of the Treaty on European Union”.

²² 25 % replied that workshops were “very useful” and 60 % replied “somewhat useful”.

²³ Furthermore, in our survey, 12 out of 20 Member States (60 %) declared that informal contacts, e.g. bilateral meetings with the Commission, were “very useful”.

²⁴ One week later, six Member States had declared complete transposition and 15 Member States not yet notified any measure.

²⁵ Commission, “Better Regulation guideline, Toolbox No 37”, p. 285.

²⁶ As of September 2020.

²⁷ Commission, “Better Regulation guideline, Toolbox No 37”.

²⁸ Transposition checks start upon the expiry of the transposition deadline.

²⁹ In line with the Commission, Better Regulation guideline, Toolbox 37: “The Commission aims at completing the transposition check within six months after the transposition deadline expires. If Member States fail to notify the transposition measures by the deadline, an infringement procedure will be launched as soon as possible. In that case, the six-month period will start when the measures are notified”. As the end of this period is not indicated in the Better Regulation, we calculated it from the transposition deadline to the initiation of the infringement procedure (countries 1 and 3) and in a case of a missing declaration (country 2) from first notification until the closure of the case.

³⁰ Idem.

³¹ Furthermore, 12 out of 20 Member States (60 %) replying to our survey stated that four or more central government ministries were involved in the transposition of AMLD4.

³² See the “Joint Political Declaration of 28 September 2011 of Member States and the Commission on explanatory documents”.

³³ Court of Justice of the European Union, judgment of 8 July 2019 in Case C-543/17, Commission v Belgium; reiterated in judgment of 16 July 2020, Commission v Ireland, C‑550/18, ECLI:EU:C:2020:564, paragraph 74.

³⁴ Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, OJ L 331, 15.12.2010, pp. 12-47, as lastly amended by Regulation (EU) 2019/2175 of the European Parliament and of the Council of 18 December 2019.

³⁵ Under Article 17(2) of the EBA Regulation.

³⁶ Commission, Report to the European Parliament and the Council on the assessment of recent alleged money laundering cases involving EU credit institutions, 2019.

³⁷ Commission, Report to the European Parliament and the Council on the operation of the European Supervisory Authorities (ESAs) and the European System of Financial Supervision (ESFS), 2014.

³⁸ Court of Auditors Special report 10/2019 EU-wide stress tests for banks: unparalleled amount of information on banks provided but greater coordination and focus on risks needed, paragraph 113.

³⁹ As required under Article 33(2) of Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (the “SSM Regulation” or “SSMR”).

⁴⁰ Article 127(6) TFEU and recital 28 of the SSMR.

⁴¹ Recital 29 of the SSMR.

⁴² The legislation did not simultaneously provide for corresponding exemptions from the professional secrecy regime. Recital 19 of AMLD5 acknowledges this stating that: “the exchange of confidential information and collaboration between AML/CFT competent authorities supervising credit and financial institutions and prudential supervisors should not be hampered by legal uncertainty which might arise as a result of the absence of explicit provisions in this field. Clarification of the legal framework is even more important since prudential supervision has, in a number of cases, been entrusted to non-AML/CFT supervisors, such as the European Central Bank (ECB).”

⁴³ AMLD5 entered into force in June 2018.

⁴⁴ CRD V entered into force in June 2019.

⁴⁵ Specifically, credit institutions from 12 significant supervised groups.

⁴⁶ EBA, Multilateral Agreement on the practical modalities for exchange of information on AML/CFT between the ECB and CAs, 2019.

⁴⁷ This issue was also raised in the ECA special report 29/2016 SSM – Good start but further improvements needed, paragraph 185.

⁴⁸ EBA, Guidelines on the revised common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing, 2018.

⁴⁹ This was outside our sample period.

⁵⁰ European Securities and Markets Authority (ESMA).

⁵¹ European Insurance and Occupational Pensions Authority (EIOPA).

⁵² As of September 2020.

⁵³ Duration of the longest infringement procedure.

Timeline

Event	Date
Adoption of Audit Planning Memorandum (APM) / Start of audit	3.3.2020
Official sending of draft report to Commission (or other auditee)	26.3.2021
Adoption of the final report after the adversarial procedure	20.5.2021
Official replies of the Commission and the EEAS received in all languages	24.6.2021
ECB official replies received in all languages	12.5.2021
EBA official replies received in all languages	19.5.2021

Contact

EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi
1615 Luxembourg
LUXEMBOURG

Tel. +352 4398-1
Enquiries: eca.europa.eu/en/Pages/ContactForm.aspx
Website: eca.europa.eu
Twitter: @EUAuditors

More information on the European Union is available on the internet (http://europa.eu).

Luxembourg: Publications Office of the European Union, 2021

PDF	ISBN 978-92-847-6228-6	ISSN 1977-5679	doi:10.2865/431649	QJ-AB-21-013-EN-N
HTML	ISBN 978-92-847-6208-8	ISSN 1977-5679	doi:10.2865/868602	QJ-AB-21-013-EN-Q

COPYRIGHT

© European Union, 2021.

The reuse policy of the European Court of Auditors (ECA) is implemented by Decision of the European Court of Auditors No 6-2019 on the open data policy and the reuse of documents.

Unless otherwise indicated (e.g. in individual copyright notices), the ECA’s content owned by the EU is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence. This means that reuse is allowed, provided appropriate credit is given and changes are indicated. The reuser must not distort the original meaning or message of the documents. The ECA shall not be liable for any consequences of reuse.

You are required to clear additional rights if a specific content depicts identifiable private individuals, e.g. in pictures of the ECA’s staff or includes third-party works. Where permission is obtained, such permission shall cancel and replace the above-mentioned general permission and shall clearly indicate any restrictions on use.

To use or reproduce content that is not owned by the EU, you may need to seek permission directly from the copyright holders.

Software or documents covered by industrial property rights, such as patents, trade marks, registered designs, logos and names, are excluded from the ECA’s reuse policy and are not licensed to you.

The European Union’s family of institutional Web Sites, within the europa.eu domain, provides links to third-party sites. Since the ECA has no control over them, you are encouraged to review their privacy and copyright policies.

Use of European Court of Auditors’ logo

The European Court of Auditors logo must not be used without the European Court of Auditors’ prior consent.

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct Information Centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en

On the phone or by e-mail
Europe Direct is a service that your questions about the European Union. You can contact this service

• by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
• at the following standard number: +32 22999696 or
• by electronic mail via: https://europa.eu/european-union/contact_en

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en

EU Publications
You can download or order free and priced EU publications at: https://op.europa.eu/en/web/general-publications/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en)

EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu/homepage.html?locale=en

Open data from the EU
The EU Open Data Portal (https://data.europa.eu/euodp/en/home) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.