Special Report
13 2021

EU efforts to fight money laundering in the banking sector are fragmented and implementation is insufficient

About the report: Money laundering is the practice of “legitimising” the proceeds of crime by filtering them into the regular economy to disguise their illegal origin. Given the importance of EU anti-money laundering policy and the role of the banking sector, we assessed whether the EU’s actions in this area are well implemented.

We found institutional fragmentation and poor co-ordination at EU level when it came to actions to prevent money laundering and take action where risk was identified. EU bodies have limited tools to ensure sufficient application of AML/CFT frameworks at national level. There is no single EU supervisor, the EU’s powers are split between several bodies and co-ordination with Member States is carried out separately.

We make recommendations to remedy these issues.

ECA special report pursuant to Article 287(4), second subparagraph, TFEU.

This publication is available in 23 languages and in the following format:
PDF General Report

Executive summary


Money laundering is the practice of “legitimising” the proceeds of crime by filtering them into the regular economy to disguise their illegal origin. Within Europe, Europol estimates the value of suspicious transactions in the hundreds of billions of euros – at an equivalent of 1.3 % of the EU’s gross domestic product (GDP). Global estimates are close to 3 % of world GDP.


The EU adopted its first anti-money laundering directive in 1991, most recently updated in 2018, to counter threats to the internal market from money laundering, and, subsequently, to prevent terrorist financing. The anti-money laundering directive relies on implementation at national level for effect.


A number of EU bodies play a part too. The Commission develops policy, monitors transposition, and carries out risk analysis. The European Banking Authority (EBA) carries out analysis, investigates breaches of Union law, and sets detailed standards for use by supervisors and industry. In 2020, the EBA’s legal mandate and powers in respect of anti-money laundering and countering the financing of terrorism (AML/CFT) were substantially increased. The European Central Bank (ECB) takes money laundering and terrorist financing (ML/TF) risk into account in the prudential supervision of banks in the euro area and, since 2019, has been sharing relevant and necessary anti-money laundering and countering the financing of terrorism (AML/CFT) information with national supervisors.


Given the importance of EU AML/CFT policy and the current momentum for reform, we decided to audit aspects of its efficiency and effectiveness. Our report is intended to inform stakeholders and provide recommendations to further support development of policy and implementation. We looked at the EU’s actions in this field by focusing on the banking sector by asking whether the EU’s action is well implemented.


Overall, we found institutional fragmentation and poor co-ordination at EU level when it came to actions to prevent ML/TF and take action where risk was identified. In practice, AML/CFT supervision still takes place at national level with an insufficient EU oversight framework to ensure a level playing field.


The Commission is obliged to publish a list of countries outside the EU (“third countries”) which pose a money-laundering threat to the internal market. There were shortcomings in relation to communication with listed third countries, and a lack of cooperation by the European External Action Service. Furthermore, to date, the EU has not adopted an autonomous list of high-risk third countries. The Commission also carries out a risk assessment for the internal market every two years. This risk assessment does not indicate changes over time, lacks a geographical focus, and does not prioritise risk effectively.


We found that the Commission was slow to assess Member States’ transposition of directives due to poor-quality communication by Member States and limited resources at the Commission. European Banking Authority staff carried out thorough investigations of potential breaches of EU law, but we found evidence of lobbying of its Board of Supervisors who were part of a deliberative process. We also found that the European Central Bank has made a good start in sharing information with national AML/CFT supervisors, although some decision-making procedures were slow. The quality of material shared by the supervisors also varied considerably due to national practices, and the EBA is developing updated guidance.


We recommend that the Commission should:

  1. prioritise ML/TF risk more clearly, and liaise with the European External Action Service for listed third countries.
  2. make use of regulations in preference to directives where possible;
  3. put in place a framework for making breach of Union law requests;

We recommend that the European Banking Authority should:

  1. put in place rules to prevent other Board of Supervisors members from seeking to influence panel members during their deliberations;
  2. issue guidelines that facilitate harmonised information exchanges between national and EU-level supervisors.

We recommend that the European Central Bank should:

  1. put more efficient internal decision-making procedures in place;
  2. make changes to its supervisory practices once guidance from the European Banking Authority is in place.

The forthcoming legislative reform is an opportunity for the Commission, the European Parliament and the Council to address the weaknesses identified and to remedy the fragmentation of the EU AML/CFT framework.


What is money laundering?


Money laundering can occur right across the economy, from gambling to commodity trades and property purchases. However, at some stage launderers usually need to use the banking system, particularly when converting and moving illegal proceeds (known as “layering”). For more detail on how money laundering works, see Figure 1. Indeed, the most recent Eurostat figures1 show that over 75 % of suspicious transactions reported came from credit institutions in more than half of EU Member States. Therefore preventive measures in the banking sector can be an effective tool for breaking the cycle of money laundering.

Figure 1

How money laundering takes place

Source: ECA, based on inter-governmental Financial Action Task Force (FATF) definitions.


A related threat to money laundering is terrorist financing, see Box 1. Policies to tackle money laundering and terrorist financing (ML/TF) are linked and generally dealt with by the same instruments, referred to as anti-money laundering and countering the financing of terrorism (AML/CFT).

Box 1

What is terrorist financing?

Terrorist financing involves the supply of funds to terrorist organisations, very often with a cross-border dimension. In some ways, terrorist financing is the reverse of money laundering, as quite often small sums of legitimate proceeds are pooled and put to use for terrorist activity. Since both activities involve illegal financial flows, they are generally dealt with using the same policy tools.

Public policy to counter money laundering


National AML policies to prevent and punish money laundering go back to the 1970s. Globally, the key body in this regard is the inter-governmental Financial Action Task Force (FATF), which was established by the G7 in 1989 and is based in Paris. The 39 members of the FATF include the United States, Russia and China, as well as the European Commission and 14 EU Member States.


The FATF sets standards and promotes effective action for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. Its guidance now covers preventive measures for financial institutions, as well as the recommended powers of regulators, supervisors and law enforcement bodies. It facilitates ‘Mutual Evaluation Reports’ (MERs), a system of periodic peer reviews among its members to assess how well its standards and recommendations are being put into practice. The EU does not focus on peer review of implementation at national level to the same extent as in the FATF approach.


In 1991, building on the FATF standards, the EU adopted an anti-money laundering directive (AMLD) to prevent criminals from taking advantage of the free movement of capital in the internal market, and to harmonise the Member States’ efforts to tackle money laundering. The EU has since updated the AMLD four times, as FATF standards have evolved, tightening the rules each time. This has been to reflect the growing recognition at global level of the adverse effects of money laundering and new techniques used by money launderers, while strengthening the framework through other criminal law legislation. More detail on the legal framework can be found in Annex I.


Prosecution and enforcement for money laundering offences in the EU is at the discretion of Member States, which apply varying prosecuting standards and penalties. Of the other FATF countries, the United States generally follows a more punitive regime in its enforcement of money laundering rules and penalties, and cases in recent years have seen large fines and other penalties imposed on EU banks operating in the US. For more details see Annex IV.

Responsibilities of the EU and the Member States


The EU AML/CFT framework has to date mostly taken the form of directives under Article 114 TFEU. This contrasts with other areas of financial services legislation where a hybrid approach of both regulation and directive has become more common. Therefore for AML/CFT, EU bodies provide policy development, guidance, and oversight; but the law is implemented in the Member States. There is no single EU-level AML/CFT supervisor. Designated national AML/CFT supervisory bodies have the job of ensuring that financial and other institutions covered by the AML/CFT rules comply with their obligations, and of taking corrective action if they do not. This can include financial penalties and restrictions on conducting business. Financial institutions are also obliged to report suspicious activity to their Member State’s financial intelligence units (FIUs), see also Figure 2.


Compared to the United States, the EU does not have a single money-laundering supervisor for any sector. Each Member State has a supervisor (or supervisors) competent to supervise banks, and indeed other 'obliged entities'. EU bodies have limited direct powers. Behaviour by supervisors is very different, potentially leading to unequal treatment across Member States2. In the United States the Financial Crimes Enforcement Network (FinCEN) is the primary AML/CFT regulatory body and monitors banks, financial institutions and individuals. FinCEN’s actions have a global reach as it has the power to prohibit banks outside the US from having correspondent banking relationships with US banks if it has reasonable grounds to conclude that a bank is of primary money laundering concern3.


The Commission’s Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA)4 coordinates EU policy on anti-money laundering and countering terrorist financing. The Commission is responsible for highlighting risks to the EU’s financial system and making appropriate recommendations to relevant stakeholders. It is also in charge of policy development and of ensuring that the EU legislation is transposed and implemented in Member States. The Commission therefore has the key role to play in facilitating the creation of a robust AML/CFT framework in the EU. The European External Action Service (EEAS) and Europol also have a role to play in producing relevant intelligence on ML/TF for use by the Commission.


The European Banking Authority (EBA) is since 2020 responsible for leading, coordinating and monitoring the EU financial sector’s fight against money laundering and terrorist financing. Before then, its work covered only the banking sector including the drafting of regulatory instruments, such as guidelines, opinions on ML/TF risks, and reports. The EBA also has powers to investigate suspected breaches of EU law by national supervisors in this regard. The EBA does not have supervisory or enforcement powers.


The European Central Bank (ECB) is responsible for prudential supervision of large banks in the euro area. Prudential implications of ML/TF risks have increasingly become a topic of interest for the ECB, as ML/TF risk can lead to supervisory challenges, and reputational risk for the sector as a whole. Since 2019 the ECB has begun to integrate AML/CFT considerations in its prudential supervision, which is dealt with through the Supervisory Review and Evaluation Process (SREP). With the support of the EBA and the other ESAs, it has signed an exchange of information agreements with around 50 AML/CFT supervisors, and ECB supervisors assess the information, incorporate it in their prudential supervisory work and, if necessary, take the appropriate prudential measures.


Europol supports Member States in their fight against money laundering and terrorist financing. The key EU players are set out in Figure 2.

Figure 2

Key AML/CFT institutional players in the EU

Source: ECA.

Policy state of play


One of the key aspects of the current policy debate on the EU AML/CFT architecture is the lack of central EU AML/CFT supervision, and how this leads to an uneven playing field5.


In May 2020, the Commission adopted an action plan on AML/CFT in the form of a communication including several pillars6, along with the publication of the revised methodology on the identification of high-risk third countries. The Commission will propose the establishment of a Single Rulebook, a single supervisory body for AML/CFT. This was subsequently broadly supported by the European Parliament7.


In November 2020, the Council issued conclusions8 broadly supporting these policy objectives. The legislative proposals to include the pillars set out in the preceding paragraph are expected from the Commission by mid- 2021.

Audit scope and approach


Given the importance of the AML/CFT policy in the EU, recent high-profile cases of ML/TF in the banking sector, and the current appetite for reform, we decided to audit aspects of its efficiency and effectiveness. Our report is intended to inform stakeholders and provide recommendations to support development of policy and further implementation.


The main audit question was whether EU action in the fight against money laundering in the banking sector is well implemented. Although our audit focus is the banking sector, the conclusions may be relevant to ML/TF policy for other sectors too. We have left financial intelligence units (FIUs) out of the scope of this audit. The sub-questions are:

  • Does the EU produce a third-country list that identifies specific threats to the EU?
  • Did the Commission appropriately assess the money laundering risks affecting the internal market?
  • Did the Commission appropriately assess the transposition of EU legislation into national legislation?
  • Did the Commission and EBA take timely and effective action in response to potential breaches of EU AML/CFT law?
  • Did the ECB efficiently integrate ML/TF risks into its prudential supervision of banks and did it efficiently share information with national supervisors?

Our auditees were the Commission (mainly DG FISMA), the European Banking Authority (EBA) and the European Central Bank (ECB). Findings were also cleared with the EEAS. In addition, we conducted an electronic survey amongst the 27 member countries of the Expert Group on Anti-money Laundering and Counter Terrorist Financing (EGMLTF). The survey touched on aspects of ML/TF policy implementation at national level, such as risk assessment and transposition. We received answers from 20 countries. Reference to the survey is included throughout this report. We also conducted interviews with public authorities involved in AML/CFT policy and supervision from four Member States . We chose them for a range of size, location, and ML/TF risks faced. In several sections we carried out our detailed work using a sample of either Member States or banks, with the selection criteria explained in the respective sections. We discussed our preliminary findings with an expert panel.


Our audit criteria are drawn from the international standards set by the FATF9 and the Basel Committee on Banking Supervision10. The legal framework (AMLD, CRD, SSMR and EBA Regulation) and relevant guidelines issued by the EBA were also used. For the EBA’s activity we carried out benchmarking against its specific sets of rules of procedure, where relevant. With regard to transposition, we referred to the Commission’s own Better Regulation guidelines. For the risk assessment carried out by the Commission, we applied the relevant risk assessment standards.


The EU’s list of risky third countries is not tailored to the potential threats to the EU


The Commission is legally obliged to identify countries outside the EU that have strategic deficiencies in their national AML/CFT framework that pose a risk to the EU’s financial system11. The Commission adopts the list of high-risk third countries by way of a “Delegated Act”12 When the Commission identifies such third countries13, it means that obliged entities (including banks) within the EU are immediately forced to apply much stricter measures (specifically enhanced due diligence) when dealing with individuals and firms in the countries on the list. This is to protect the proper functioning of the internal market and to limit the flow of laundered money into the EU. There are over 200 countries and territories which the EU must consider. Putting a country on the list can lead to delays and costs in doing business for EU firms and citizens who want to do business with these countries, and indeed vice versa. It can also lead to de-risking, which is where firms strategically withdraw from market segments due to the regulatory burden.


We assessed whether the Commission’s process for generating a third country list is efficient and effective, by reference to the relevant standards.

The Commission’s method of gathering inputs to generate a third-country list was efficient, but was hindered by a lack of timely co-operation on the part of the EEAS


The AMLD obliges the Commission to consider reliable and up-to-date information sources when making its assessments, including the third countries’ AML/CFT frameworks. As a first step, in July 2018, the Commission adopted and published a staff-working document that represented the working procedure for identifying third country jurisdictions14 (“the 2018 methodology”).


The methodology is built on AMLD requirements, and FATF standards, methodology, and best practices. It also takes the FATF listing procedure as the baseline for EU policy toward third countries, and adds country-specific intelligence gathered by Europol and the EEAS. The starting point is the most recent Mutual Evaluation Report (MER) prepared by the FATF, or relevant regional body. The Commission’s approach is somewhat different from that of the US. The US approach allows for different levels of third-country risk, and is more sanctions-driven.


The Commission also has other listing processes which in effect tackle ML/TF threats from outside the EU, specifically the list of non-cooperative tax jurisdictions for tax purposes, and also the list of restrictive measures (sanctions). These are compared in Annex III. Both the tax and sanctions lists are designed to encourage change outside the EU, while the AML/CFT third-country list is mainly defensive in nature. Also, both these other lists are the result of Council decisions.


The methodology (see paragraph 22) also obliges the Commission to gather input from Europol and the EEAS because they have the relevant expertise, including country-specific information also on ML/TF risk in third countries in the EEAS’s case. During the scoping and prioritisation exercise, the Commission formally requested information related to the identification of the third-countries from both Europol and EEAS.


Table 1 illustrates the timeline followed by the Commission in generating and updating the third country list.

Table 1

Steps for generating the third country list

Date Activity
14 July 2016 First Delegated Act based on AMLD4 largely replicating FATF list (updated several times to reflect subsequent listings by FATF)
22 June 2018 Commission methodology for Delegated Act under AMLD5 (“the 2018 methodology”)
March – September 2018 Commission scoping exercise and own analysis phase (incl. Europol and EEAS)
September 2018 –January 2019 Commission engagement with MS on draft country files and draft Delegated Act
13 February 2019 Commission adoption of Delegated Act based on 2018 methodology
7 March 2019 Rejection of Delegated Act by Council (see paragraph 34)
7 May 2020 Adoption of updated Delegated Act further aligning with FATF lists
7 May 2020 Adoption of revised methodology for use from 7 May onwards (“the 2020 methodology”)

Source: ECA.


Europol provided the Commission timely and consistently with information for the scoping and prioritisation exercises. The EEAS did not initially provide any of the information requested in writing by the Commission, providing input to the process only later. The lack of country-specific information at the time it was initially requested reduced the efficiency of the process.


There were also issues to be faced in relation to engagement with third countries. The methodology obliged the Commission and the EEAS to engage in a coordinated manner and to ensure that the third country concerned would be updated, fully and in good time, on the adoption of the Delegated Act. We did not find evidence that this happened in a thorough manner.


The Commission adopts the list of high-risk third countries by way of a “Delegated Act”. This obliges the Commission to consult expert groups of Member State representatives before adoption.


The Commission communicated with the Council via the EGMLTF and asked for input on the preparation of the countries’ risk profiles, the AML/CFT assessments, and on the draft Delegated Act. During the consultation on the preparation of the country risk profiles and AML/CFT assessments (“country fiches”) in November 2018 (see Table 1); almost half of the Member States provided relevant input to the Commission.

The Commission assessments are complete but relied heavily on FATF reports


The methodology obliges the Commission to prepare country profiles for each assessed country, describing threats and risks and, based on the analysis of eight building blocks, to make an overall assessment of the level of deficiency of the third country concerned.


Based on our analysis of a sample of ten countries, we conclude that the Commission managed to gather information effectively on third country risks and compile it into individual country profiles that it used for its assessments. In general, the country profiles included complete and relevant information in most cases, compiled from both internal and publicly available sources of information. However, they rely heavily on MERs done using FATF methodology, and some of these are up to a decade old.


The Commission methodology does not use any weights or scoring criteria assigned to each building block and/or assigned rating with the choice of jurisdictions being ultimately based on expert judgement. However, in our sample we did not identify any inconsistency between jurisdictions selected or not selected by the Commission.

The first attempt at an autonomous EU third-country list failed, and as a result the EU’s current list does not go beyond the FATF list


The Commission adopted the Delegated Act on the 13 February 2019; identifying 23 high-risk third countries (see Table 1). The Delegated Act could only enter into force if the European Parliament and the Council, within a period of a month of the notification of the act, did not object. On 7 March 2019 the Council decided unanimously to reject the draft list put forward by the Commission. Many Member States expressed concerns that the consultation process with them had been rushed. By contrast, the Parliament endorsed the Delegated Act in its resolution of 14 March 2019.


After the Council’s rejection, the Commission proceeded to propose a new Delegated Act in May 2020 (see Table 1). This was done based on alignment with the FATF process by only considering countries listed and de-listed by FATF. This list was more limited in scope. It was not rejected by either Parliament or Council and is currently in force. For information, we show the February 2019 list highlighting the countries which were not on an FATF list at the time (see Table 2).


Overall the process to draft an autonomous EU third country list has not been effective. To date, the EU has not agreed on a third-country list that goes beyond the FATF list in force, and which addresses specific EU-related threats. The chosen response to risk is only at the country level, and does not target the entity or sector like with the EU sanctions list.


In May 2020 the Commission also published a refined methodology to be used for the next listing process which is currently being implemented. It builds on the previous methodology, and will involve greater engagement with third countries. This will in effect mean that listing a new third country could take up to 12 months. Our observations about the shortcomings of the previous methodology are still relevant for the implementation of the current methodology.

Table 2

Rejected 2019 list

Jurisdictions on the EU list
Countries on FATF list in force Countries not on FATF list in force
Democratic Republic of North Korea
Sri Lanka
Trinidad and Tobago
American Samoa
Puerto Rico
Saudi Arabia
US Virgin Islands

Source: ECA.

The Commission’s risk analysis for the EU internal market lacks geographical focus, prioritisation and data


The AMLD4 obliges the Commission to assess the specific ML/TF risks affecting the internal market and relating to cross border activities and to report every two years or more frequently if appropriate. This is known as the Supra National Risk Assessment (SNRA). The first SNRA was produced in 2017 and the second in 2019. The purpose of this type of risk mapping is to spot the depth and location of issues in the Union in order to help to set up appropriate corrective actions. It is also a key tool for policymakers and banks alike, showing them where to focus their actions to best reduce ML/TF risk. Member States are also obliged to produce a national risk assessments (NRA) but we did not assess these. The Commission is also obliged to collect statistics from Member States on quantitative volumes of money laundering.


We assessed whether the Commission’s process for generating an SNRA and publishing statistics was efficient and effective, by reference to the relevant standards.

The Commission’s methodology does not prioritise sectors based on risk, does not have a geographical focus, and does not show changes over time


The Commission’s methodology is built on the FATF’s approach. This approach provides all the necessary details in line with risk management standards. (see Table 3).


The approach used to perform the SNRA aims to assess vulnerabilities detected at EU level through a systematic analysis of the money laundering risks linked to the techniques used by potential perpetrators of money laundering and terrorist financing.


The Commission’s work for the 2019 SNRA consisted of an analysis and accompanying assessment for each of the 47 products or services, outlining the relevant threats, vulnerabilities and conclusions; see Table 3.

Table 3

Supranational risk assessments prepared by the Commission

2017 2019
Professional sectors 10 11
Products or services 40 47
Average threat (ECA sample) 2.715 3.2
Average vulnerability (ECA sample) 2.8 3.0

Note: our sample approach is outlined in paragraph 46. By threat we mean the likelihood of a product or service being mis-used for illicit purposes. By vulnerability, we mean the potential weaknesses of these same products or services which allow terrorist groups or organised crime organisations to misuse them for illicit purposes.

Source: ECA analysis based on Commission documentation.


Updates to the SNRA were created using information from ongoing exchanges with stakeholders, including Member States, professional organisations, and NGOs. In our survey, 50 % of Member States concluded that the SNRA was very useful for developing policy at national level, with 40 % responding it was somewhat useful.


The Commission does not present sectoral assessments by priority level (overall score: threat multiplied by vulnerability for instance), but presents them by professional sector. There is, however, a summary of the risks for the sectors included in the accompanying communication from the Commission. The Commission did not make an assessment per sector of whether the level of overall threat or vulnerability rose between 2017 and 2019. In addition, the lack of comparable statistics makes it more difficult for the Commission to compare threats from the different sectors (see also paragraph 48).


The risk assessment methodology designed by the Commission with the help of the EGMLTF considers the impact of the residual risks identified after analysing the threats and vulnerabilities as “constantly significant” in all cases. This is evidence of a lack of prioritisation in the exercise.


For our analysis, we selected a sample of three out of the 47 products and services (e-money; brokerage and wealth management- private banking), as they are relevant to the banking sector and had high vulnerability scores. Our findings are as follows:

  • although we noticed input from various stakeholders on the draft fiches, it was not possible to clearly link this to the assessment made;
  • we found that the changes of score were not substantiated, especially where the conclusions became more critical;
  • there is no geographical focus in the risk assessment, even though this would be relevant for some sectors ;
  • the Commission is allowed to make updates, between the biannual updates, for developments in sectors where innovation is rapid, but has never done so;
  • for the follow-up of recommendations, two years may not be sufficient for the Commission to be able to check completion of actions.

The follow-up of the 2017 SNRA was performed when drafting the 2019 edition. For the three sectors reviewed, we found no clear mention of the conclusions of this follow-up in the SNRA 2019 at the level of sector. There is however, an overall follow-up of recommendations in the report from the Commission to the European Parliament and the Council16.

The Commission has not reported on ML/TF statistics


Historically, there have been few reliable estimates of the magnitude of money laundering in Europe, either by sector, by frequency of occurrence, or in monetary terms. Since January 2020, the Commission has been obliged to collect and subsequently report on statistics on matters relevant to the effectiveness of their systems to combat money laundering and terrorist financing. Member States are also obliged to submit such statistics to the Commission17. The Commission (DG FISMA) has taken steps to collect these data from Member States, although it has not reported on them to date. Furthermore, Eurostat does not have a methodology to collect and estimate quantitative volumes of money laundering.


Overall, we find that risk is not clearly prioritised by the Commission in its bi-annual assessment, and there is no geographical dimension. Furthermore, the Commission does not publish statistics on ML/TF that would allow for greater prioritisation in the exercise. Together, these reduce the ability of the Commission, policymakers, and obliged entities to take action to mitigate ML/TF risk.

Transposing EU AML/CFT legislation is complex, transposition is uneven, and assessment by the Commission is slow


The EU’s legal framework for the prevention of money laundering is almost entirely in the form of directives, which must be implemented in the legislation of Member States, rather than regulations. For a directive to take effect at national level, EU countries must adopt a national measure, usually a piece of legislation. If the Member State fails to implement EU law, the Commission has the ultimate power to resort to formal infringement procedures18 before the Court of Justice of the EU.


Our audit examined whether the Commission is assessing the transposition of the EU AML/CFT legal framework effectively19 by reference to the relevant standards including the AMLD, the Commission’s own Better Regulation guideline, and other internal guidance. To answer this question, we assessed the Commission’s checking of AMLD4. It entered into force on 15 July 2015 and the 28 Member States were obliged to transpose this Directive into national law and to communicate all national transposition measures to the Commission by 26 June 2017. Nevertheless, while AMLD4 was still being transposed, AMLD5 came into effect in mid-2018.


We carried out our assessment on a sample of three Member States and five of the 69 AMLD4 articles. We chose articles which were relevant to the EU banking sector and for which compliance issues were found in most Member States20. We focused our assessment on the first two phases of the compliance checking process, i.e. notification and transposition checks, as most of the Commission’s conformity checks are still ongoing and not finalised yet. Our audit scope did not cover an assessment of the implementation of the legislation in the Member States. The Commission’s compliance checking process is explained in Figure 3.

Figure 3

The Commission compliance checking process

Source: ECA based on Commission, Better Regulation guideline, Toolbox 37.

The Commission took useful action to encourage transposition


To help Member States, the Commission provides compliance-promoting tools21. Between September 2015 and April 2016, i.e. in advance of the transposition deadline, the Commission organised five workshops for all Member States. Overall, we found that the workshops covered all crucial topics with regard to transposition of AMLD4. Our survey showed that 17 out of 20 Member States (85 %) found the Commission’s guidance useful22 and 70 % replied that workshops were a very useful method to support them23 in their transposition work. One issue referred to by Member States was the fact that AMLD5 came into effect in mid-2018 while AMLD4 measures were still being transposed. This put pressure on administrative capacity to deliver transposing measures.


Despite this action by the Commission, before the transposition deadline, the Commission began infringement procedures for non-communication or incomplete communication24 against all Member States between July 2017 and March 2019. One week later, only six Member States had declared complete transposition, seven Member States had declared partial transposition and 15 Member States had not notified any measures transposing AMLD4. However, our sample showed that some Member States had overstated the extent to which they had taken transposition measures. This contributes to a situation where, despite a desire at EU level for consistency, AML law is implemented unevenly at national level, increasing the vulnerability of the single market to ML/TF risk (see also paragraph 09).

The Commission’s use of a contractor had shortcomings


The Commission outsourced the compliance testing of AMLD4 to an external contractor who was to carry out transposition and conformity checks on all national transposition measures and for all 28 Member States. The internal guideline25 requires the Commission to review the external contractor’s reports. Our audit work confirmed that these internal guidelines were adhered to.


There was no contingency in the contract for follow-up procedures, so when the contract ended the full burden of assessing the transposition for all 28 Member States fell to Commission staff. This is particularly relevant for AMLD4, where the majority of Member States declared either partial or no transposition by the agreed deadline, and several Member States notified a high number of transposing measures, in some cases over four years (between 2016 and 2020).


In practice, the Commission was only able to act rapidly to start an infringement procedure when a Member State declared neither complete nor partial transposition. In our sample, one Member State did this. The Commission sent a letter of formal notice (LFN) to the Member State a month after the deadline passed in June 2017.


In our sampled cases, the Commission took a minimum of 20 months and a maximum of 40 months to finalise the overall transposition checks including the infringement procedures on AMLD4 (see Table 4)26. This is significantly longer than the objective in the Commission’s own guideline27. A contributory reason was the length of time the Member States took to transpose and notify AMLD4, as well as the incompleteness of the transposing measures. In addition, conformity checks can only start once the transposition checks (including a possible infringement procedure for completeness issues) have been completed28, which can slow down the process. There was a wide range of measures notified across Member States, over a period of between two and five years (see Figure 4).

Table 4

Transposition by sample country

Event Country 1 Country 2 Country 3
Start of the transposition and conformity check June 2017 November 2017 June 2017
Notification of measures by Member State (first to last notification) January 2017 – August 2020 November 2017 – February 2018 July 2017 – May 2020
Member States’ declaration of transposition (July 2017) Partial Missing/None Complete
Duration of the transposition check (months) – target: 6 months29 7 20 21
Duration of the conformity check (months) – target: 16/24 months30 ongoing ongoing ongoing
Infringements launched – Letter of formal notice January 2018 July 2017 March 2019
– Reasoned opinion March 2019 - -
– Referral to the Court of Justice of the European Union (CJEU) July 2020 - -
Closure (of transposition related issues) October 2020 July 2019 July 2020
Overall duration of transposition checks including the infringement procedures 40 20 37

Source: ECA analysis of Commission documentation, end November 2020.


For the compliance checks (see paragraph 52), our review showed that the quality of the Commission’s documentation after the external contractor had finished its work varied significantly from country to country. For one of the sampled countries the Commission could not provide records of structured follow-up by its staff. With the exception of the template for compliance checks, the relevant Commission unit did not have unit-level guidelines in place and staff turnover was high. The Commission did not have a strategy in place to ensure institutional memory on what remains a specialist topic. This is despite EU AML/CFT legislation being on its fifth iteration.

Many Member States did not cooperate fully with the Commission


AMLD4 is a complex directive that in most of the Member States is not transposed in a single piece of legislation but requires the adoption or modification of different pieces of legislation. 19 out of 20 Member States (95 %) replying to our survey agreed that the biggest challenge to transposing AMLD4 was the complexity of legislation, while 60 % mentioned human resources as a challenge. One of our sampled Member States notified its 64 measures in five stages: three measures were notified before the deadline passed, 10 measures after the deadline in 2017, 16 measures in 2018, 34 measures in 2019, and one measure in 2020. This example shows how complex the transposition process was in certain Member States, often involving several ministries31.

Figure 4

Number of transposing measures notified by Member States for AMLD4

Source: ECA analysis of Commission documentation as of 23 November 2020.


Member States were required to provide the Commission with explanatory documents including transposition tables32. Our sample showed that Member States did not always do so and some even explicitly refused. Our audit found that not all Member States notified their national transposition measures via the database designed for the purpose either, which hampered the assessment of the transposition of AMLD4. Together, this increased the Commission’s workload.


By way of context, in 2019, the CJEU concluded33 that the burden of proof is on the Member States to provide sufficiently clear and precise information on the measures transposing a directive. However, the transposition of AMLD4 largely pre-dated the above-mentioned judgments.

The Commission’s management of the process lacked resources


DG FISMA’s unit responsible for AML/CFT oversight currently consists of 17 full time equivalent (FTE) staff, having expanded in recent years. It is also responsible for AML/CFT law making, case handling, BUL requests to the EBA, the preparation of third country lists, and the SNRA.


For the years 2017-2019, the unit had a limited number of staff who generally had a broad range of responsibilities. Our own calculations suggest that one desk officer was in some cases responsible for four to six Member States, and staff turnover was high.


The lack of human resources contributed to the delays compared with the Commission’s own guidelines as set out in previous paragraphs. For some Member States, the Commission did not have staff with the relevant language skills for check transposition, and therefore it was particularly reliant on translations that added time.


Overall, the Commission’s assessment of AML/CFT legislation lacked effectiveness. This was related to several factors, such as the complexity of the legislation, uneven action taken by Member States, and lack of resources given to AML/CFT tasks at the Commission. In addition, the reliance on directives meant a slow and uneven implementation of EU AML/CFT law.

The Commission and EBA did not use their 'breach of Union law' powers effectively


A key condition for the smooth functioning of the internal market is for EU law relating to money laundering to be implemented consistently throughout the Union. The legislative basis (for simplicity “the EBA Regulation”34) gives the EBA the power to investigate a potential breach of Union law (BUL) relating to AML/CFT legislation at Member State level. This could involve inadequate supervision allowing large volumes of ML/TF to take place in a bank.


The EBA has had BUL powers since its creation in 2010. The procedure for a breach of Union law investigation is set out in the EBA Regulation and also the EBA’s own rules of procedure. Annex V sets out the process, timeline, and key stakeholders involved.


These investigations can be carried out at the EBA’s own initiative or on referral from a number of other bodies, including the Commission. Therefore the whole process, including referral from the Commission to the EBA is relevant to an assessment of the efficiency and effectiveness of how a potential breach of Union law is dealt with. It is also relevant as the Commission has the overall responsibility at Union level for the correct application of EU law (see also paragraph 51). Specifically, we examined whether the Commission acts effectively when faced with potential breaches of EU AML/CFT law, and whether the EBA investigates them in an effective and timely manner. We explored whether the Commission uses its powers in regard to potential breaches of EU AML/CFT law, in particular its (internal) procedures, to request the EBA to investigate an alleged breach or non-application of Union law35.Furthermore, we assessed whether the EBA investigates potential breaches of Union law in line with its powers under the EBA Regulation.


Since 2015 the EBA has received 48 cases in total from several sources, relating to different types of law, such as prudential supervision. It has never opened an own-initiative investigation relating to ML/TF. Nine of these 48 cases related to ML/TF, and of these nine we examined the four requests by the Commission to the EBA concerning ML/TF-related breaches of Union law between 2016 and 2019, in order to examine co-ordination between the two.

The Commission’s approach to BUL requests was ad hoc


The Commission has no internal guidance for triggering a request to the EBA for an investigation. The Commission made the requests on an ad hoc basis and, in most cases, they followed within days of media reports of an AML/CFT-related issue in a Member State. There was no formal consultation between different services of the Commission.


In three of the four cases examined the Commission asked the EBA to ensure that a specific financial institution satisfied the requirements in Article 1(2) of the EBA Regulation and to investigate a possible breach or non-application of Union law. This was despite the fact that the EBA’s legal powers then in force related to the activity of the national supervisors, and not directly to the activity of financial institutions.


This lack of internal consultation and mis-characterisation of the EBA’s powers suggests that the Commission’s approach was ad hoc.

There were excessive delays in EBA action on BUL allegations


Of the four requests from the Commission, the EBA decided to not investigate two of them, but only after considerable delay. In one case, the EBA took action to gather evidence promptly but then took no further action for over a year. In the other, it took no action to gather evidence at all. The EBA’s formal response to the Commission was a letter that came after 13 months in one case and 26 months in another. It concluded that there was no substantial prospect of the EBA proceeding to a BUL investigation in light of the decision in a preceding case (see paragraphs 78-79).


There was no clear rationale for this delay in the EBA documents we examined. Such a delay is not consistent with the principles of good administration or mutual co-operation between EU bodies and institutions. The effectiveness of the BUL process is also limited, as the requests did not produce a result (either an investigation or a decision not to investigate) for an excessive length of time. This meant that during this time the Commission had a reduced ability to take action relating to these cases.


In the two other cases, the EBA initiated an investigation that in both cases led to a draft recommendation concerning a breach of Union law being submitted to the EBA’s Board of Supervisors (BoS). In both cases, we found that the EBA staff carried out a comprehensive investigation of the issue under consideration, following the internal rules. In one case the BoS decided there had been a breach of Union law but not in the other.

High-level EBA decision-making was influenced by national interests


In the first of the two cases that were investigated, the BoS found within the two-month legal time frame that a breach of Union law had occurred and issued the recommendation to the national supervisor concerned. It promptly informed the EBA of the steps being taken. In line with its powers, and after consulting the EBA, the Commission decided that these steps were neither adequate nor appropriate to ensure compliance with Union law. The Commission then issued an opinion to the relevant national supervisor on necessary actions. On the whole, we found evidence in this first case of efficient and effective co-operation between the EBA and the Commission in carrying out their respective roles under the EBA Regulation.


In the second case, the EBA completed the BUL investigation within the two-month legal period. The investigation involves the convening of a panel, which comprises the EBA Chair and six other BoS members from Member States whose authorities are not concerned by the investigation. In this case, the panel considered a draft recommendation for a BUL, which was then sent to the full BoS for its consideration. We found written evidence of attempts to lobby panel members during the period when the panel was deliberating on a potential recommendation to the BoS. In the end the BoS rejected the draft recommendation.


With regard to the standards in place concerning this kind of lobbying, all BoS members are subject to the provisions of Article 42 of the EBA Regulation which obliges them to “neither seek nor take instructions from any government of a Member State or from any other public or private body.” Likewise, in the same article, Member States or other public bodies such as national supervisors are prohibited from seeking “to influence the members of the Board of Supervisors in the performance of their tasks”. While the EBA has detailed Rules of Procedure for a BUL investigation, these contain no specific guidance on whether panel members should accept approaches from other BoS members, or whether these other BoS members may attempt to lobby panel members.


The Commission was not present for the discussion of this matter due to its non-voting status, and was only formally informed of the decision and its rationale ten days after the BoS meeting. Later that year, the Commission concluded that this case raised ”questions for the future, including on how to ensure that supervisors can be held accountable for their actions to ensure financial institutions’ compliance with Union law, especially when working with minimum harmonisation Directives”36.


As long ago as 2014 the Commission concluded that the EBA’s governance allows it to take decisions, at times, that are more geared towards national rather than broader EU interests37. Our own report on the EBA stress tests (SR 10/2019) concluded that the dominant role of national authorities meant that the EU perspective was insufficiently taken into account38. The incidence of lobbying outlined above is further evidence that national supervisors are too dominant within the EBA's governance framework.


A new EBA regulation came into effect on 1 January 2020, and provides for some changes to the BUL procedure in general, and in relation to AML/CFT. However, the key governance shortcomings at the EBA outlined in the previous paragraphs remain.

Information sharing between the Commission and the EBA has not been formalised


In each of the two BUL cases the EBA investigated, it took a very different approach to sharing documents with the Commission, which is a non-voting member of the BoS.


In the first case (see paragraph 77) it shared the draft recommendation with the Commission BoS representative. In the second case (see paragraphs 78-79) the EBA refused to share any documents with the Commission at all in advance of the BoS meeting based on professional secrecy considerations in its founding regulation. It eventually provided the draft recommendation to the Commission a month after the decision had been taken.


We also found that there is no formalised exchange between the EBA and the Commission after the Commission sends the EBA a request for a potential breach of Union law procedure, but rather informal contacts. Although the EBA Regulation then in force did not require it, a formalised regular exchange between the two parties would have enhanced clarity and the traceability of the steps that the EBA intended to take following such a request from the Commission and would have allowed the Commission to express its expectations in terms of deadlines and priorities when it was addressing several BUL requests to the EBA in parallel.


Overall, the BUL process lacks effectiveness. The Commission has an ad hoc approach to making requests, and the EBA Board of Supervisors (despite efficient preparation by staff) is not oriented toward the EU interest when using its BUL powers.

The ECB has started to integrate ML/TF risks into prudential supervision but, despite improvements, information-sharing is not fully efficient


In late 2014, the ECB assumed responsibility for the prudential supervision of credit institutions (for simplicity “banks”) within the Banking Union39, in practice it means direct supervision of about 120 banks or banking groups in the euro area.


Prudential and AML/CFT supervision have different objectives and approaches. Risks arising from ML/TF and prudential concerns can overlap and there are complementarities between the two types of supervision. For example, a business model reliant on ML/TF could increase the risk of bank failure. Or the presence of ML/TF could be indicative of otherwise poor risk management which is prudentially relevant.


The new ECB supervisory powers conferred in 2013 specifically excluded it from taking responsibility for the prevention of the use of the financial system for the purpose of ML/TF40; these powers were left with the national authorities responsible for ML/TF supervision (for simplicity “national AML/CFT supervisors”). The recitals of the SSM Regulation indicated that the ECB should co-operate fully with these national AML/CFT supervisors41. To overcome subsequent legal uncertainty42 around this cooperation, legislation to facilitate specific co-operation came into effect in 201843 and 201944.


In the Member States, national ML/TF supervisors are usually part of the same public body that carries out prudential supervision of banks. In general, the Member States we spoke to pointed to the potential synergies of such an approach within their national frameworks.


The Single Supervisory Mechanism (SSM) was set up in 2014, but our audit emphasis is on developments from 2018 until June 2020. Our focus was to examine whether the ECB made efficient use of identified ML/TF risk factors in its prudential supervision.


We also checked whether there was an appropriate framework in place to facilitate efficient information exchange between the ECB and the national supervisors. We assessed whether there was a robust methodology in place for efficiently integrating prudential implications of ML/FT risks in the ECB’s ongoing prudential supervision, namely in the context of the Supervisory Review and Evaluation Process (SREP).


We reviewed the applicable EBA SREP guidelines, the ECB’s supervisory manual, the internal controls within the ECB and related statistical information. We also examined their implementation by reference to a sample of 12 banks45 directly supervised by the ECB. In doing so, we focused on the last two finalised SREP cycles of 2018 and 2019. We drew our sample on a risk basis focusing on banks where the ECB had most communication with national supervisors, while also ensuring geographical spread.

Despite improvements, sharing of information between national supervisors and ECB is not fully efficient


Based on our interviews with ECB staff, prior to 2019 interaction between the ECB and national AML/ CFT supervisors occurred on an informal basis through ongoing supervision, although not necessarily on a consistent and structured basis. We saw no evidence of this, as the SREP cycles we assessed did not cover that period.


In addition, the vast majority of national prudential supervisors also have an AML/CFT supervision mandate (see Figure 5), known as “integrated supervisors”. The extent of sharing information within these supervisors varies, due to factors such as organisational structure and the national legislation. In some cases it was not shared internally, which highlights the role the ECB can play in facilitating information exchange.

Figure 5

Responsibilities in prudential and AML/CFT supervision of banks

Note: the ECB cooperates with national supervisors of credit and financial institutions only.

Source: ECA based on the relevant legislation; in a small minority of Member States NCAs for prudential and ML/TF purposes are separate public bodies.


In early 2019, the ECB and the national supervisors signed an agreement on the practical arrangements for information exchange (the “AML Agreement”)46. This AML Agreement defined in general terms the information that has to be exchanged from both sides, including the procedures to be followed based on requests or 'own initiative' exchanges. See Annex VII for more details.


To facilitate the use of the AML Agreement, at the end of 2018 the ECB set up a horizontal co-ordination function within the SSM resourced with six FTEs, to act as a central point of contact between national supervisors and line supervisors within the ECB.


From the operationalisation of the AML Agreement in January 2019 until November 2019, in the context of the annual regular cycle the ECB did not receive AML/CFT supervisory information from national supervisors for any significant institution. Furthermore, there was no information exchange between the ECB and the national supervisors under the AML Agreement in this period in relation to approximately a third of the banks directly supervised by the ECB.


On the other hand, for the period from December 2019 until June 2020, in the context of the annual regular cycle, the ECB received 152 sets of information related to 110 banks. For more details of the information exchange for the 120 large banks directly supervised by the ECB, see Table 5.

Table 5

Summary of information exchange between ECB and AML/CFT authorities under the AML Agreement.

Period Information flow Regular exchanges Ad hoc exchanges (own initiative) Exchanges based on requests
January 2019 – November 2019 ECB > AML/CFT authority 75 Information exchange for 65 SIs. 15 Information exchange for 14 SIs. 0
AML/CFT authority > ECB 0 55 Information exchange for 32 SIs. 18 information exchanges (as a response to 19 requests submitted by the ECB) in relation to 15 SIs.
December 2019 – June 2020 ECB> AML/CFT authority 79 information exchanges for 69 SIs 8 Information exchange for 8 SIs. 4 Information exchanges (as a response to 4 requests submitted by AML/CFT authority) in relation to 4 SIs
AML/CFT authority> ECB 152 information exchanges for 110 SIs. 17 Information exchange for 13 SIs. 1 Information exchange (as a response to 3 requests submitted by ECB) in relation to 3 SIs

Source: ECA based on statistical information submitted by the ECB.


The data in Table 5 and our audit work show that information exchange has become more frequent and consistent since the AML Agreement was put in place in early 2019, as regular exchanges between the ECB and AML/CFT authorities became more frequent from the first part of 2020.


The ECB established standard templates for requesting and transmitting AML/CFT-related information with the national supervisors both for regular exchanges and for ad hoc requests. The ECB also put a framework in place to provide information to AML/CFT authorities, such as supervisory measures relating to shortcomings in internal governance.


We found delays in some cases of up to six months in the transmission of information from the ECB to national supervisors, for example relating to the AML/CFT extracts from the SREP decisions, information from ECB’s offsite supervision, and information on suspicious non-performing loan transactions. While the AML agreement does not have clear deadlines, much of the delay originates from the multiple layers of management approval needed within the ECB47. Its managers have very little delegated authority to share information. This may lead to a delay in the national supervisors taking action where necessary.


The material supplied by national supervisors (such as on-site inspection reports) varied in scope and quality, and was not always provided in a timely fashion. In some cases, the national supervisors shared the actual excerpts or even full onsite inspections reports with the ECB. For other banks, only summary material was provided.


The EBA is in the process of drawing up guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors and FIUs. The guidelines are expected to be issued for public consultation in the second quarter of 2021 and will provide clearer guidance.

National supervisors use different methodologies, and EBA guidance on supervisory assessments is not specific enough


In our sample of banks, we also found that the national supervisors use very different methodologies for their AML/CFT assessments, for example using different scales and criteria for scoring risk mainly due to the minimum harmonisation nature of the legal framework. This leads to an increased risk of inconsistent factoring by the ECB of prudential concerns related to ML/TF risks into prudential supervision of banks from different jurisdictions, although it is not within the ECB’s remit to challenge these scores or the risk methodologies. The EBA is currently consulting on changes to its existing guidelines for risk-based AML/CFT supervision.


An explicit reference to anti-money laundering was only included in the revised EBA SREP guidelines48 in July 2018, although in general terms. The ECB’s own internal guidance was of a general nature as well.


An explicit legal basis for integrating ML/TF risk into prudential supervision only came into effect in June 2019 (see paragraph 89). This also needed transposition at Member State level.


After a request by the Council to produce relevant guidance, the EBA published two opinions. However, in the absence of a harmonised legal framework and detailed EBA guidelines, prudential supervisors in general, and the ECB in particular, do not have a full set of information and tools for consistently reflecting the prudential implications of ML/TF risks under the SREP.


The ECB updated its own Supervisory Manual in early 2020 in line with the EBA guidance in place. The supervisory practice is to update internal manuals when EBA guidance is in place on, for example, how AML/CFT related concerns and supervisory considerations may feed into the overall SREP score.


For the SREP 2018 and 2019 cycles, the ECB did not perform a consistency check to see how ML/FT concerns were factored into their SREP assessments, although this was done for the 2020 SREP cycle49. For the banks in our sample however, we found evidence that the ECB factored ML/TF-related information into its SREP decisions in 2018 and 2019. For banks with identified ML/TF weaknesses, the ECB made recommendations to remedy the prudential deficiencies. In a minority of cases, the staff considered the information provided by the national supervisors, but assessed it to be non-material for prudential purposes. SREP decisions (or relevant parts) were sent both to the banks and to the national supervisors. The ECB is not responsible for checking the actions of the national supervisors for their core activities but simply for making them aware of such information.


Overall, the ECB has made a good start in integrating ML/TF risk into prudential supervision. More efficient decision-making by the ECB is needed, and forthcoming EBA guidance will need to be integrated by the ECB and national supervisors.

Conclusions and recommendations


Overall, we found that EU-level action in the fight against ML/TF has weaknesses. There is institutional fragmentation and poor co-ordination at EU level when it came to actions to prevent ML/TF and take action where risk was identified (see paragraphs 50 to 66). The EU bodies we audited have limited tools at present to ensure sufficient application of AML/CFT frameworks at national level (see paragraphs 67 to 86; 87-111). There is no single EU supervisor for ML/TF and the EU’s powers in relation to ML/TF are split between several bodies and co-ordination with Member States is carried out separately.


Currently, the EU’s main approach to protecting its banking sector from being used for ML/TF is by applying legal requirements that come mainly in the form of directives. Member States have the obligation to transpose the directives, and bear the main responsibility for tackling ML/TF through their national supervision frameworks. Member States are also responsible for enforcement. In effect, application of EU AML/CFT law differs from Member State to Member State.


In generating the 2019 third-country list the Commission made good use of intelligence (including from Europol) and it applied its methodology appropriately (paragraphs 31 to 37). The EEAS initially failed to provide the requested inputs to the Commission for generating the list, and communication with listed third countries was inconsistent (paragraph 28). Despite attempts by the Commission to generate an autonomous EU list, it has not yet managed to go beyond the FATF list so far, due to lack of approval from the Council (paragraphs 35 to 36).


The Commission’s risk assessment methodology does not prioritise ML/TF risks clearly in its SNRA, nor does it make clear when the risk assessment sectors change (paragraph 44). The Commission has not made rapid updates to the SNRA in line with its powers, and does not refer to the geographical dimension (paragraph 46). The Commission has not yet published statistics on ML/TF in line with its new legal obligations, making it difficult to assess the scale of ML/TF in the EU right now (paragraph 48).

Recommendation 1 – The Commission should improve its risk assessments

The Commission should:

  1. use greater prioritisation of sectors based on risk throughout the whole supra-national risk assessment exercise: from planning to follow-up, specifying when and why they are changing; and carrying out updates for fast-moving sectors and adding a geographical dimension, where relevant;
  2. implement the new methodology to generate an autonomous EU third-country list; working in liaison with the EEAS and Member States to ensure integration of intelligence, and early communication with listed third countries;
  3. put in place tools to mitigate ML/TF risk from third countries at the level of the entity or sector.

Timeframe: by end-2021


AMLD transposition is complex, and in most cases, Member States were slow to transpose AMLD. In many cases their communication of transposition to the Commission was incomplete or late (paragraphs 60 to 62). Nonetheless, we identified occasions where the Commission’s assessment was slower than the Commission’s own internal guidelines suggest (paragraph 58). The Commission’s work on transposition assessment was understaffed (see paragraph 65), and reliance on outsourcing had limitations (paragraph 56). Taken together, these factors delayed the Commission’s ability to take measures in relation to the non-transposition.


This slow transposition contributed to an inconsistent legal framework across Member States (paragraph 58) and increased the risk of weak points being exploited by money launderers. Commission workshops were a useful tool to support Member State administrative capacity (paragraph 53). Despite this good quality guidance from the Commission, Member States took a long time to transpose the legislation and overstated the extent to which they had done so (see paragraph 54). Overall, it shows that for a complex area like AML/CFT legislation, a level playing field can be better achieved by use of regulations rather than directives.

Recommendation 2 – The Commission should ensure the consistent and immediate effect of AML/CFT legislation

The Commission should make use of a regulation over a directive to the extent possible.

Timeframe: by end-2021


When it comes to co-ordination, the Commission carries out little analysis of its own before initiating BUL requests to the EBA, relying mainly on public reports (paragraph 71).


In general, EBA staff carried out investigations into alleged ML/TF-related breaches of Union law in time and in line with internal guidance (paragraph 76). However, the EBA took an unreasonable amount of time to decide whether to investigate certain cases (paragraphs 74 and 75), and carried out no ML/TF investigations on its own initiative (paragraph 70). At the EBA, we found evidence of lobbying of members of a panel while it was considering a potential ML/TF-related breach of Union law. The EBA does not have specific rules in place to prevent lobbying of this kind (paragraphs 78 and 79). For BUL, the EBA’s decision-making process is not sufficiently EU-oriented, due to the influence of national supervisors in its decision-making process, and the closure of cases without investigation shows that the EBA is now reluctant to carry out ML/TF BUL investigations. As a result, the EBA has only made one positive finding of a breach of Union law related to ML/TF since its powers came into effect in 2010.


Taken together, this suggests that the breach of Union law mechanism is not contributing to the uniform application of AML/CFT law across the EU, putting at risk the integrity of the single market.

Recommendation 3 – The EBA and Commission should make better use of their BUL powers for ML/TF

The Commission should:

  1. put in place directorate-general-level internal guidance for making ML/TF breach of Union law requests;
  2. make use of information on cases when making use of its legal powers to ensure EU law is applied;
  3. propose legislative amendments to provide legal clarity on what information should be shared with the Commission by the competent body for investigation of BUL complaints during the breach of Union law process.
  4. The EBA should:

  5. ensure that decisions to investigate or not to investigate are taken without undue delay when breach of Union law referrals are received;
  6. put in place rules to prevent other BoS members from seeking to influence panel members during their deliberations.

Timeframe: by end-2021


In line with new obligations, the ECB has put in place a framework for integrating ML/TF-related information into prudential supervision, and is actively exchanging information relating to ML/TF risk with national supervisors. However, the efficiency with which information leaves the ECB is hampered by a cumbersome ECB decision-making process (paragraph 102). The ECB has neither the responsibility nor powers to investigate how the information that it sends outward is used by national supervisors. There is no EU-level AML/CFT supervisor so ultimately the national supervisors are responsible for monitoring compliance and taking action (paragraph 07).


National AML/CFT supervisors have begun to provide the ECB with bank reports that are prudentially relevant. However, these reports vary in scope due to national practices, and updated EBA guidance for AML/CFT supervisors is still being developed (paragraph 117). This reduces the ability of the ECB to incorporate them efficiently into its supervisory assessments (paragraphs 108 and 109). Based on our sample, we can conclude that the ECB is now integrating ML/TF risk into prudential supervision (paragraphs 110 and 111).

Recommendation 4 – EBA and ECB should work to better incorporate ML/TF risk into prudential supervision

The EBA should:

  1. enhance its guidance for incorporation of ML/TF risk into prudential supervision;
  2. Timeframe: By the end of the first quarter of 2022

  3. finalise guidelines on the risk-based approach to AML/CFT supervision to provide for greater consistency in AML assessments of supervised entities;
  4. Timeframe: By the end of 2021

  5. specify in its guidelines on co-operation and information exchange the content of information to be shared, as well as timelines for doing so
  6. Timeframe: By the end of 2021

    The ECB should:

  7. put an internal policy in place for more efficient sharing of ML/TF-related information with national supervisors;
  8. Timeframe: by the end-of the first quarter of 2022

  9. update its methodology for integrating ML/TF risk in prudential supervision once updated EBA guidelines are published.
  10. Timeframe: by the end-of the second quarter of 2022


Given the high level of cross-border integration in the EU banking sector, the deficiencies in the current design and implementation of the EU AML/CFT framework (see paragraph 112) represent risks to financial market integrity and public trust. The forthcoming legislative reform (see paragraphs 13 to 15) is an opportunity for the Commission, the European Parliament and the Council to address the weaknesses identified (see paragraphs 364966, and 86) and to remedy the fragmentation of the EU AML/CFT framework.

This Report was adopted by Chamber IV, headed by Mr Alex BRENNINKMEIJER, Member of the Court of Auditors, in Luxembourg at its meeting of 20 May 2021.

For the Court of Auditors

Klaus-Heiner LEHNE


Annex I – EU legal framework

The EU adopted the first AML Directive in 1991. The latest, fifth version of the AML Directive is Directive (EU) 2018/843 of the European Parliament and the Council of 30 May 2018. Member States were obliged to enact it in national law and implement its provisions no later than 10 January 2020. Over the years, the Directive has become steadily wider in scope and, for the banking sector, covers:

  1. record-keeping by both financial institutions and non-financial parties such as lawyers, notaries, accountants and estate agencies;
  2. full definitions of a range of criminal activities;
  • requirements for the identification, tracking, seizure and confiscation of property and the proceeds of crime;
  • measures to combat terrorist financing;
  • transparency in the transfer of funds;
  • requirements for the sharing of information on money laundering among Member States.
  • extending the scope to include digital assets (cryptocurrencies);

Moreover, there are other EU laws which complement the AML Directive:

  • the Wire Transfer Regulation , which focuses on helping law enforcement authorities track down terrorists and criminals by making transfers more transparent;
  • the Directive on combating money laundering by criminal law, which ensures that there are similar definitions of AML/CFT offences across the EU, as well as minimum penalties;
  • technical standards, opinions and guidelines for national authorities, drawn up by some or all of the three European supervisory authorities (EBA, ESMA50 and EIOPA51), which the Commission has adopted and made law in the form of delegated regulations.

Annex II – Comparison of AMLD4 and AMLD5

4th AML-Directive 2015/849 5th AML-Directive 2018/843
Published: 20 May 2015;
Came into effect: 26 June 2017
Published: 19 June 2018;
Came into effect: 10 January 2020
• Risk assessment at EU level (SNRA) and national risk assessment required
• Beneficial Ownership
• Home and host responsibilities for companies operating also in other Member States
• FIUs powers strengthened
• Simplifies due diligence
• Gambling: extension to all gambling services
• Altered and expanded definition of politically exposed persons (PEPs)
• Suspicious Activity Reports
• Record keeping can be extended up to 10 years
• Cash payments threshold to trigger AML checks lowered to €10 000

• Improve the work of FIUs with better access to information through centralised bank account registers
• Improve cooperation between anti-money laundering supervisors and the ECB
• Reinforcement of EBA’s supervisory role
• Broaden the criteria for assessing high-risk third countries and ensure a common high level of safeguards for financial flows from such countries
• Lifting the anonymity on prepaid cards
• Interconnection of the beneficial ownership registers at EU level
• Politically exposed persons (PEP) list
• Increase transparency about companies’ and trusts’ ownership
• New cryptocurrency rules

Annex III – Different EU listing processes

Non-cooperative tax jurisdictions Restrictive measures (sanctions) AML third-country List
List • List of non-cooperative tax jurisdictions for tax purposes; • List of autonomous EU sanctions including measures agreed by the UN Security Council (to implement UN Security Council Resolutions) • High-risk third countries with strategic deficiencies in their regime on anti-money laundering and counter terrorist financing
EU objectives
➢ To improve tax good governance globally (overall goal);
➢ To ensure that the EU's international partners respect the same standards as EU Member States;
➢ To encourage positive change tax legislation and practices, through cooperation;
➢ To fight against tax fraud and evasion, tax avoidance, and money laundering; tool for securing a level playing field.
➢ To put pressure on tax havens to apply rules and standards to achieve transparency, fair tax competition and the implementation of international standards against tax base erosion/profit shifting.

➢ Tool of EU's common foreign and security policy (CFSP), through which the EU can intervene where necessary to prevent conflict or respond to emerging or current crises.
➢ To bring about a change in policy or activity.
➢ To implement UN Security Council Resolutions or to further the objectives of the CFSP, namely promoting international peace/security, preventing conflicts, supporting democracy, the rule of law, human rights and, defending the principles of international law.
➢ To support the fight against terrorism and the proliferation of weapons of mass destruction

➢ A defensive policy designed to protect the integrity of the internal market from third-country jurisdictions which pose significant threats to the financial system of the Union.
➢ Selection phase: Member States are selected based on a neutral scoreboard of indicators.
➢ Screening phase: work of the Global Forum on Transparency and Exchange of Information for Tax Purposes and OECD Inclusive Framework for Tackling Base Erosion and Profit Shifting is considered. Overall assessment criteria: compliance with several OECD Standards.

➢ Some sanction regimes are mandated by the UN Security Council, others are adopted autonomously by the EU based on information from EEAS, Member States, EU delegations and EU Commission.
➢ Restrictive measures must always be in accordance with international law, respect human rights/fundamental freedoms, in particular due process and the right to an effective remedy.

➢ The Commission takes information from the FATF and other FATF-style regional bodies into account, includes a stock-take of other relevant information in the public domain, and considers private information that is available to other EU bodies (e.g. Europol, EEAS).
Main role of EU institutions
➢ List is based on a Commission communication on an external strategy for effective taxation presented in the 2016 anti-tax-avoidance package; EU Commission is in charge of producing a neutral scoreboard of indicators.
➢ The Council of the EU (Code of Conduct Group on Business Taxation): has to screen and list the countries; finally adopts/revises the list.

➢ The Council of the EU: adoption (regulation), renewal, or lifting of sanctions regimes, on the basis of proposals from the High Representative of the Union for Foreign Affairs and Security Policy.
➢ European Commission
• to prepare proposals for regulations on sanctions for adoption by the Council;
• to represent the Commission in sanctions-related discussions with Member States at the Council Working Party of Foreign Relations Counsellors;
• to transpose certain UN sanctions into EU law;
• to monitor the implementation/enforcement of EU sanctions across Member States;
• to support Member States in their efforts to apply sanctions;
• to enhance the resilience of the EU to extra-territorial sanctions adopted by third countries.
➢ EEAS: in charge of preparing and reviewing sanction regimes in cooperation with Member States, relevant EU delegations and the EU Commission.

➢ The Commission is legally obliged to identify countries outside the EU that have shortcomings in their national AML framework which pose a risk to the EU’s financial system. It makes use of rankings found in the Commission’s own 2016 “Tax Scoreboard” which ranks countries on economic connectedness with EU, relative size of financial sector, and corruption.
➢ The Commission adopts the list of high-risk third countries by way of a “Delegated Act”: obligation to consult the EGMLTF and also the European Parliament before adoption.
➢ The list is proposed by the EU Commission, the Parliament or the Council may reject this proposal within 30 days.
➢ At least once a year; from 2020, twice a year.

➢ EU autonomous provisions are reviewed at least once every 12 months. The Council can decide at any time to amend, extend or temporarily suspend them.

➢ At least once a year, but can be more frequent.
➢ Only jurisdictions outside the EU can be listed;
➢ Jurisdictions which are EU overseas countries and territories (but not part of the EU themselves) can also be listed.

➢ Governments of non-EU countries (because of their policies;
➢ Companies (providing the means to conduct the targeted policies);
➢ Groups or organisations (such as terrorist groups);
➢ Individuals (supporting the targeted policies, involved in terrorist activities, etc.);
➢ Sanctions have an effect in non-EU countries, but the measures apply only within EU jurisdiction; the obligations they impose are binding on EU nationals or persons located in the EU or doing business here.

➢ Non-EEA countries and territories. These can in principle include EU overseas countries and territories which are not part of the EU themselves.
➢ EU defensive measures in non-tax areas:
• EU institutions/Member States must take the EU list into account in: foreign policy, development cooperation, and economic relations with third countries;
• EU Commission should consider it in the implementation of EU financing and investment operations, inter alia, the EFSI and EFSD.
➢ EU defensive measures in tax areas

➢ The EU has over forty different sanction regimes in place. Depending on the sanction scheme, it can lead to an arms embargo, a restriction on admission (travel bans), an asset freeze, or other economic measures such as restrictions on imports and exports.

➢ This has an impact on a firm within the EU doing business with a person or firm in a listed country. Obliged entities within the EU (such as a bank) have to carry out enhanced customer due diligence when dealing with a listed third country. This is a step up from normal due diligence and may include greater checks on identity of a customer, beneficial ownership and/or source of funds.

Annex IV – EU and US

FATF recommendation How the EU does it Level How the US does it Level
1 Assessing risks & applying a risk-based approach The EU publishes a supra-national risk assessment every two years. The EBA also publishes sectoral risk assessments on occasion. Member States must also publish their own risk assessments. Supervisors and obliged entities are expected to take this into account when carrying out their activities. MS and EU-level Multi agency cooperation to assess risks with annual or bi annual updates: the U.S. maintains a substantial number of complementary processes to identify and assess ML/TF risks which generate a wide variety of outputs. Risk assessments to support the President’s national security strategies are prepared by relevant government agencies with participation from intelligence, law enforcement, and policy agencies involved in AML/CFT, including FinCEN which contributes ML/TF risks and trends identified from the reporting regime. Federal
9 Financial institution secrecy laws Member States must put in place laws to ensure that information can be shared with revenue authorities and law enforcement. Under AMLD supervisors must have the power to compel the production of any information that is relevant to monitoring compliance. MS-level The Right to Financial Privacy Act (RFPA) (12 USC 3401-22.) governs how US Federal agencies obtain information from FIs and under what circumstances they may disclose it. It puts certain safeguards in place before banks can disclose customer information to law enforcement or supervisory authorities. Federal
10-11 Customer due diligence and record keeping Banks in the EU are prohibited from keeping anonymous accounts and are obliged to carry out customer due diligence on new and existing business. They are obliged to keep records for a given period of time and supply them to supervisors (if requested). MS-level Keeping anonymous accounts or accounts in obviously fictitious names is not expressly prohibited. However, banks are required to implement risk-based procedures for verifying the identity of each customer to enable a bank to form a reasonable belief that it knows the customer’s true identity. Banks are not explicitly required to identify and verify the identity of persons authorised to act on behalf of customers. Banks are generally obliged to keep records for at least five years. State
12-16 Additional measures for specific customers and activities Measures relating to PEPs and correspondent banking are dealt with at Member State level. Money, value, and wire transfers have some obligations based on directly applicable EU law, such as the Wire Transfer Regulation (Regulation 2015/847). MS and EU-level Regarding correspondent banking , each concerned bank is required to establish appropriate, specific policies, procedures, and controls that are reasonably designed to detect and report instances of ML through those accounts. As regards money value, wire, and transfer service providers, both formal and informal, are subject to BSA requirements including registration with FinCEN.
17-19 Reliance, Controls and Financial Groups Member States may allow obliged entities to rely on third parties to provide due diligence subject to certain standards. Standards exist for AML controls for cross-border banks, and national supervisors are expected to co-operate in colleges. For high-risk third countries, the EU adopts a list and supervised entities are expected to put in place enhanced due diligence for dealings with these high-risk third countries. MS and EU-level Covered FIs are required to establish AML programs, including, at a minimum:
a) developing internal policies, procedures and controls; b) designating a compliance officer sufficiently senior to assure compliance with all obligations under the BSA; c) have an ongoing employee training programme; and d) have an independent compliance function to test programmes.
As regards high-risk countries, FIs are required to apply enhanced due diligence to correspondent accounts established or maintained in the U.S. for certain categories of foreign banks. This list is adopted by FinCEN at federal level.
20-21 Reporting of suspicious transactions Obliged entities in the EU Member States are obliged to report suspicious activities or transactions to the national financial intelligence unit (FIU). These FIUs have a platform to share intelligence at EU level (FIU.net). Europol, the EU police agency, also collects and disseminates intelligence on patterns of money laundering activity. MS and EU-level The US requires reporting of suspicious transactions by Covered FIs. FIs are directed to report to law enforcement immediately violations requiring immediate attention, such as ongoing ML schemes and terrorist activity. Unless required to be reported immediately, reports of suspicious transactions must be filed with FinCEN. State
24-25 Transparency and beneficial ownership of legal persons and arrangements EU AML legislation obliges Member States to put in place registers of beneficial ownership information in central registries that must be connected. Sanctions must also be put in place for those who fail to comply. However, there is no common EU-level register for beneficial ownership and information. MS-level The formation of US legal entities is governed by State law. Each of the 56 States, territories and the District of Columbia has its own laws for the formation and governance of legal entities. Federal law also applies to them, once formed, in certain areas (e.g. criminal law, securities regulation, taxation). In 2016 the US was assessed by FATF as having deficiencies in coordination in this area, specifically as adequate, accurate and timely information on the beneficial ownership and control of legal persons could not always be obtained or accessed in a timely fashion by competent authorities. State
26-28 Regulation and Supervision The governing legislation is set at EU level and is mainly in the form of a directive. This outlines obligations for certain EU bodies such as the Commission and the EBA. Member States must also transpose certain requirements into national legislation. Each Member State must have a money laundering supervisor or supervisors for obliged entities within its jurisdiction.
In practice, regulatory technical standards are set at EU level and banks and national supervisors are expected to comply. EU-level oversight comes in the form of the power of the Commission to issue infringement proceedings when a Member State fails to put legislation into place. Also, the EBA can investigate and make recommendations if a potential breach of Union money laundering law has been identified.
MS and EU-level Due to the international nature of both the financial system and serious crime and terrorism, the Federal Government has taken the primary role in law making and enforcement in the areas of money laundering (ML) and terrorist financing (TF). State laws can be pre-empted when Congress explicitly includes a pre-emption clause, when a State law conflicts with a Federal law, and when the States are precluded from regulating conduct in a field that Congress has determined must be regulated exclusively by Federal authorities. Federal regulators (OCC, Federal Reserve, FDIC,NCUA,...) have delegated examination and enforcement authority from FinCen.
The legal base is the BSA from 1970 and Bank Secrecy Act Implementation; strengthened by the USA Patriot Act from 2001. The U.S. AML/CFT system has a strong law enforcement focus. All LEAs (Federal, State, local) have direct access to SARs filed with FinCEN. A particularly strong feature is the inter-agency task force approach, which integrates authorities from all levels (Federal, State, local). This approach is widely used to conduct ML/TF and predicate investigations, and has proven very successful in significant, large and complex cases.
Federal & State
33 Statistics The EU legal framework obliges Member States to collect statistics on ML, and for them to submit them to Eurostat, the EU's statistical office. Eurostat is then obliged to report these statistics, but the legal obligation is only just coming into force. In the mean time, there is little systematic quantitive data on volumes of money laundering and terrorist financing. MS and EU-level The US maintains comprehensive statistics except on the investigations, prosecutions and convictions related to the State ML offenses, or statistics on the property frozen, seized and confiscated at the State level. Federal & State
35 Sanctions Member States are obliged to empower and resource money laundering supervisory authorities to take sanctions when breaches of supervisory rules are detected. In practice, the nature and severity of sanctions vary by jurisdiction. MS-level A range of proportionate and dissuasive criminal, civil and administrative sanctions are available, ranging from disciplinary letters to fines and imprisonment. FinCEN may bring an enforcement action for BSA violations. It has sole Federal enforcement authority over FIs and covered DNFBPs. Besides CMPs, FinCEN can take other formal and informal administrative actions. Other agencies (such as SEC) are also empowered under their respective Act for taking a range of supervisory actions. Federal

Source: ECA summary, based on various FATF, FinCEN, Commission, and EBA documentation.

Annex V – Steps in the BUL process

Phase Process Stakeholder Timeline
Request Article 17 of Regulation 1093/2010 (The EBA Founding Regulation) Article 17 provides for the possibility of the EBA to investigate alleged breaches or non application of Union law, on its own initiative or at the request of certain bodies, to make a breach of Union law investigation of certain bodies.
The EBA Regulation does not lay down how and when, i.e. none of these bodies (including the Commission) has any legal obligation concerning how or when it should make a request to the EBA.
A request must be made to the EBA by one or more competent authorities, the European Parliament, the Council, the Commission or the Banking Stakeholder Group. A request can be made at any time and the EBA does not have a specific legal obligation to respond within any length of time.
Preliminary Enquiry A preliminary assessment of the alleged BUL. The EBA carries out preliminary enquiries, including communication with competent authorities, in order to establish the facts concerning the alleged BUL. There is no specific legal time limit for this period.
Investigation The formal process to decide whether a BUL has occurred. The EBA Chair decides whether to start a BUL investigation or not. The EBA’s Rules of Procedure provide for the convening of a Panel consisting of the Chair and six Board of Supervisors (BoS) members who are not concerned by the investigation. The Panel decides either:
  • to close the investigation without adopting a recommendation
  • or, if a BUL is established, to make a recommendation to the BoS for a BUL.
The EBA may address a recommendation to the competent authority concerned setting out the action necessary to comply with Union law no later than two months from initiating its investigation.
Recommendation The BoS concludes that there is breach of Union law and addresses a recommendation to the competent authority concerned. The decision to adopt a recommendation is taken by the EBA’s Board of Supervisors, comprised of supervisors from 27 competent authorities. The decision concerning adoption of a recommendation must be taken within two months of inititation of the investigation (see previous point).
Communication Addressing the recommendation to the national competent authority (NCA) The recommendation sets out the action necessary to comply with Union law. The NCA must respond within ten days.
Opinion Where the competent authority has not complied, the Commission may issue a formal opinion to the NCA. The Commission may act, after having been informed by the EBA, or on its own initative. The Commission may issue such a formal opinion no later than three months after the adoption of the recommendation, and may extent this by one month.

Source: EBA Regulation, EBA Rules of Procedure.

Annex VI – Transposition checks

Transposition deadline 26 June 2017
Member state notifications submitted by the deadline or before the launch of non-communication infringements 6
Number of Member States that had not notified complete transposition at the time of this audit (July 2020) 8
Number of non-communication and non-completeness infringement proceedings initiated 28
Overall duration of infringement proceedings on completeness (months)52 More than 36 (ongoing)53

Source: ECA analysis of Commission analysis.

Annex VII – Types of exchange of information at the ECB

Categories Exchanges in context of annual regular exchange of information (sent and received) Ad hoc exchanges on own initiative (Sent and received) Exchanges based on ad hoc requests (sent and received)
Information shared Annual sharing of excerpts SREP decisions by the ECB with AML/CFT authorities (shared on own initiative)

ML/TF risk scores and assessments; OSI reports and sanctions (annual requests send by the ECB to AML/CFT authorities)
Other relevant information stemming from supervision of both functions Other relevant information stemming from supervision of both functions

Source: ECA based on information submitted by the ECB.

Acronyms and abbreviations

AML: Anti-money laundering

AMLD: Anti-money laundering Directive

BCBS: Basel Committee on Banking Supervision

BOS: Board of Supervisors

BUL: Breach of Union law

CFT: Combatting the financing of terrorism

CRD: Capital requirements directive

EBA: European Banking Authority

ECB: European Central Bank

EEAS: European External Action Service

EGMLTF: Expert Group on Anti-money Laundering and Counter Terrorist Financing

EIOPA: European Insurance and Occupational Pensions Authority

ESMA: European Securities and Markets Authority

FATF: Financial Action Task Force

FTE: Full-time equivalent

FINCen: Financial Crimes Enforcement Network

FIU: Financial intelligence unit

GDP: Gross domestic product

LFN: Letter of formal notice

MER: Mutual evaluation report

ML/TF: Money laundering and terrorist financing

SNRA: Supra-national risk assessment

SSM: Single supervisory mechanism


AML supervisor: Public authority in the Member State tasked with the supervising the AML/CFT regime, examination of obliged entities for adherence to the jurisdiction's AML regime, imposition of fines for non-compliance.

Anti-money-laundering Directive: EU legislation and the main legal instrument for the prevention of the use of the Union financial system for the purposes of money laundering and terrorist financing; First Directive – from 1990 and subsequent iterations until the Fifth Directive -from 2018.

Basel Committee on Banking Supervision (BCBS): Primary global standard setter for the prudential regulation of banks and a forum for regular cooperation on banking supervisory matters.

Combating the Financing of Terrorism (CFT): Effective anti-money laundering and combating the financing of terrorism regimes are essential to protect the integrity of markets and of the global financial framework as they help mitigate the factors that facilitate financial abuse.

Conformity check: A check that the relevant provisions of an EU directive have been accurately reflected in national implementing measures.

Court of Justice of the European Union (CJEU): The Court of Justice interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.

Credit institution: Undertaking, such as a bank, whose business is to receive deposits or other repayable funds from the public and to grant loans.

Delegated act: A legally binding act used by the Commission, if Parliament and the Council express no objection, to supplement or amend non‑essential parts of EU legislation, for example by giving details of implementing measures.

DG FISMA: European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union; co-ordinating DG for AML at the Commission.

European Banking Authority (EBA): An EU agency established in 2011; One of the three European Supervisory Authorities and the main regulator in the area of banking regulation and supervision, drafting of regulatory technical standards to be approved by the Commission; with powers to enforce AML standards.

European Central Bank (ECB): European Institution established with the Treaty of Amsterdam in 1998; direct prudential supervisor of large banks in the euro area via the Single Supervisory Mechanism since 2014.

European External Action Service (EEAS): The EEAS is the EU's diplomatic service. It aims to make EU foreign policy more coherent and effective, thus increasing Europe's global influence. It manages the EU's diplomatic relations with other countries outside the bloc and conducts EU foreign & security policy.

European Supervisory Authorities (ESAs): The ESAs are the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA). The ESAs work on harmonising financial supervision in the EU, and help to ensure the consistent application of the rulebook to create a level playing field. They are also mandated to assess risks and vulnerabilities in the financial sector.

Europol: European Union’s law enforcement agency which inter alia supports the MSs in their fight against money laundering and terrorism.

Financial Action Task Force (FATF): Inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. 39 Members including the European Commission and 14 Member States. Set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. A “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.

Financial Intelligence Unit (FIU): National competent authority, responsible for enforcing anti-money laundering legislation in the Member State. Responsible for collection, analysis and dissemination of the reporting submitted by obliged entities including with other EU MSs and third countries, and liaison with law enforcement if necessary.

Infringement procedure: According to Articles 258 to 260 of the Treaty on the Functioning of the European Union, the main enforcement mechanism enacted by the Commission against a Member State whenever it is of the opinion that the Member State is in breach of its obligations under EU law.

Letter of Formal Notice (LFN): If the EU country concerned fails to communicate measures that fully transpose the provisions of directives, or do not rectify the suspected violation of EU law, the Commission may initiate a formal infringement procedure. The infringement procedure starts with a letter of formal notice, by which the EU Commission allows the Member State to present its views regarding the breach observed.

Prudential supervision: Direct oversight of financial institutions (including banks) to ensure that they are not just complying with the regulations in a legalistic sense but are operating soundly and prudently in the spirit of the regulatory framework.

Reasoned Opinion (RO): If the EU country concerned fails to communicate measures that fully transpose the provisions of directives, or does not rectify the suspected violation of EU law, the Commission may initiate a formal infringement procedure. After the step of sending a LFN and the Commission concluded that the country is failing to fulfil its obligations under EU law, as a second step in the procedure, it may send a reasoned opinion: a formal request to comply with EU law.

Supervisory Review and Evaluation Process (SREP): The annual supervisory process for large banks in the euro area under direct supervision by the ECB. Gives supervisors a harmonised set of tools to examine a bank’s risk profile from four different angles – Business model, Governance and risk, Capital, Liquidity.

Third country: Third country means a country or territory other than one within the European Community.

Transposition check: An assessment of the compatibility of national implementing measures with a directive’s provisions.

Transposition of EU law: The procedure by which EU Member States incorporate EU directives into their national law in order to make their objectives, requirements and deadlines directly applicable.

Replies of the Commission and the EEAS

Executive summary

Replies from the Commission and the EEAS on the Executive summary (paragraph I-XI):

The Commission is strongly committed to the fight against money laundering and terrorist financing both within the EU and globally. While the EU has developed over the years a solid regulatory framework, there is growing consensus that this framework needs to be improved with the view to achieve a comprehensive Union policy. To this purpose, the Commission adopted an Action Plan on 7 May 2020, announcing an ambitious set of measures on a comprehensive Union policy on preventing money laundering and terrorist financing. The Action Plan outlines the reforms needed with the view to strengthen the Union defences, address current fragmentation and provide for a single rule book, and a EU level supervisor enjoying direct supervisory powers over a limited set of the riskiest financial institutions. The action plan also foresees a mechanism for support and coordination of Financial Intelligence Units.

The forthcoming legislative package will provide for more harmonisation in the form of an AML Regulation accompanying a revised AML Directive.

On 7 May 2020, along with the adoption of the Action Plan, the Commission published a revised methodology for the identification of high risk third countries for the purposes of the AML Directive providing for an increased synergy with the Financial Action Task Force process and an increased engagement with the concerned third countries.

The Commission recalls that it adopted in February 2019 its first autonomous list of high-risk third countries which pose a money-laundering threat to the Union financial system and the proper functioning of the internal market. This autonomous list was rejected by the Council as part of its scrutiny right. Further to that rejection, the Commission revised its methodology and started its strengthened engagement with the concerned third countries.

Regarding past transposition of directives by Member States, as soon as transposition measures were notified in full by the Member States, the Commission made best efforts to complete its assessment. The Commission however acknowledges the challenges for a full and complete transposition of the AML Directives, often requiring not only the adoption of a central AML legal instrument, but also amendments of several other legal instruments in the concerned national orders.



As regards the source of funds referred to in Annex III, the Commission would like to recall that pursuant to Article 155 (2) of the Financial Regulation 2018/1046, the policy on third countries is also used to safeguard the Union budget. Persons and entities implementing Union funds (financial instruments and budgetary guarantees) shall not enter into or renew operations with entities incorporated or established in jurisdictions that are identified as high risk.

Common reply to paragraphs 27 and 28

As regards the method of gathering inputs to generate a third-country list, the novelty of the process hindered a swift implementation. The Commission has been working with the EEAS to establish working methods allowing for a timely flow of information. The refined methodology adopted in May 2020 also allows for a strengthened engagement with third countries. The European Commission, in cooperation with the EEAS, started the engagement process with third countries in summer 2020.


The Commission is a member of the FATF and takes active part in FATF streams of work. Consequently, the Commission takes into account the MERs of concerned third country among other sources. To the extent to which the MER was out of date, available updated information was considered in order to reflect the latest state of play in a given third country.


The Commission is considering the revision of the policy on third countries in the forthcoming AML legislative package.


The Commission is of the view that the update of the Supra National Risk Assessment (SNRA) every second year accounts for the latest risks, including changes over time. As mentioned in paragraph 46 below, all fiches for sectors and products were updated in 2019 and new sectors and products were added (47 in 2019 over 40 in 2017). As regards up-to-date statistical information about monetary volumes of ML/TF, see reply under paragraph 48.


(2nd bullet) The change of the score was based on evidence received from stakeholders and from independent sources. Furthermore, scores were validated first by key stakeholders (for instance EUROPOL), and also by all concerned Commission services within a dedicated ISG.

However, the Commission agrees that further work is needed for better substantiating the changes in this area.

(3rd bullet) The SNRA, in principle, cannot have a geographical focus. However, the Commission recognises that for some sectors this could be applicable.

(4th bullet) Only two SNRAs have ever been adopted (in 2017 and 2019), the frequency of updates every two years is already short by international standards provided by the FATF and considering that national risk assessments are adopted every 4-5 years by the Member States.

Common reply to paragraphs 48 and 49

The Commission would like to note that the provision for Eurostat to submit estimates of quantitative volumes of money laundering has been recently introduced and is not mandatory. Moreover, for the estimates, good quality Member States’ data and a complex statistical methodology are needed, which are not available at this stage.

Common reply to paragraphs 57-59

Member States need time to adopt and notify transposition measures for a complex Directive. This often requires amendments of several pieces of legislation in the internal legal order. As an example, a Member State started to notify its transposition measures in August 2017 and submitted the last notification in October 2020. Only after the last notification, the Commission could conclude on the complete and correct transposition.

In order to start an infringement procedure, regardless of whether the Member State declares complete or partial transposition, the national legislation has to be translated and assessed. This process, as illustrated above, takes time. In infringement proceeding the important is to be accurate, not rapid.

The Commission would like to clarify that existing corporate guidance are in place for the control of transposition of EU legal instruments into national law. Therefore, it was not deemed necessary to develop additional specific guidance.


The Commission is of the view that once a formal request to EBA to investigate a potential BUL case had been made, no formalised regular exchange could have been made in the course of the EBA investigation.

Conclusions and recommendations


The forthcoming AML package will provide for an EU AML/CFT supervisor, as already announced in the Action Plan adopted in May 2020.


The forthcoming AML package will provide for a more harmonisation in the form of a first AML Regulation.

Recommendation 1 – The Commission should improve its risk assessments
  1. The Commission accepts this recommendation.
  2. The Commission accepts this recommendation.
  3. The Commission accepts this recommendation.

See the Commission replies under paragraphs 56, 58, 60-62.

Recommendation 2 – The Commission should ensure the consistent and immediate effect of AML/CFT legislation

The Commission accepts this recommendation.


Formal requests to EBA for any given BUL investigation were done after an assessment by the Commission of the information available in support of the request.

Recommendation 3 – The EBA and Commission should make better use of their BUL powers for ML/TF
  1. The Commission accepts this recommendation.
  2. The Commission accepts this recommendation.
  3. The Commission accepts this recommendation.

The Commission cannot, at this stage, give commitments on the content of future legislative proposals. The Commission considers furthermore that, at a more specific level with respect to data protection/processing, the recommendation requires an analysis of existing EU administrative and data protection law, and needs to be framed against existing provisions of the AML Directive on information sharing. Furthermore, the future development of the AML legal and institutional framework, as announced in the May 2020 Action Plan, will provide a solution through the intended establishment of an EU AML Authority.


The forthcoming AML/CFT package will address current weaknesses as regards the policy on third countries (paragraph 36), better identification of risks (paragraph 49), a more timely control of transposition (paragraph 66), a timely BUL process (paragraph 86).

Replies of the ECB

Paragraph 89

The European Central Bank (ECB) would like to clarify that the reason why the ECB cannot exercise anti-money laundering/combating the financing of terrorism (AML/CFT) supervision is to be found in the Treaty on the Functioning of the EU (TFEU), rather than in the wording of the Single Supervisory Mechanism Regulation (SSMR) that was adopted in 2013.

Recital No 28 of the SSMR merely reflects Article 127(6) of the TFEU, which states the following (emphasis added):

“The Council, acting by means of regulations in accordance with a special legislative procedure, may unanimously, and after consulting the European Parliament and the European Central Bank, confer specific tasks upon the European Central Bank concerning policies relating to the prudential supervision of credit institutions and other financial institutions with the exception of insurance undertakings.”

Paragraph 90

It is worth noting that AML/CFT supervision covers a very wide range of entities, not just banks (for example, it also includes payment institutions, insurance undertakings, consumer credit providers, virtual asset service providers, etc.) and that the national authorities often perform supervisory tasks other than prudential supervision, including with regard to such other types of entity. This may affect the Member States’ conclusions regarding the synergies achieved by concentrating various tasks within the same public body, as referred to in paragraph 90.

Looking in particular at credit institutions, there are separate procedures for determining which institutions are significant for prudential supervision purposes and which are significant for AML/CFT supervision purposes. This would generally lead to two groups of supervised entities which would overlap only partially.

Paragraph 95

Please refer to the ECB’s reply to paragraphs 89 and 90.

Paragraph 98

In 2019 the ECB signed the multilateral agreement establishing the practical modalities for the exchange of information with national AML/CFT supervisors of credit and financial institutions in the European Economic Area, as mandated by the fifth AML Directive. The AML Agreement was subsequently put into operation and progressively implemented during the course of 2019 when AML/CFT supervisors signed the AML Agreement and both ad hoc and regular exchanges of information with the AML/CFT supervisors were instituted. In this context, between January and November 2019 the ECB shared information in relation to supervised entities from two-thirds of the significant supervised groups.

The regular annual exchange of information was extended at the beginning of 2020 to include, in addition to the annual sharing by the ECB of excerpts of the SREP letters, a request to the AML/CFT authorities for, inter alia, information related to ML/TF risk scores and assessments. Since 2020 the ECB has been exchanging information in relation to supervised entities from all the significant supervised groups (see also paragraph 99 in the report).

Paragraph 102

As stated in the ECB’s reply to paragraph 98, the AML Agreement was signed in early 2019 and put into operation in the course of 2019.

The ECB would also like to note that some categories of information, like the relevant extracts from SREP decisions, are already shared by the ECB under a more streamlined process than the approval process described in paragraph 102.

Building on the experience gained over the past two years, the ECB has already started enhancing its internal policies and processes to smooth the sharing of information:

  • The internal processes developed to facilitate the exchange of information within the AML/CFT colleges (which should be established for around half of the significant institutions and groups) include a simplified decision-making procedure to improve the timeliness and efficiency of exchanging information between the ECB and the AML/CFT supervisory authorities within the AML/CFT colleges.
  • The ECB intends to implement a simplified process for exchanging information under the AML Agreement by the end of 2021.
Paragraph 106

The ECB would like to note that it has been proactive and since 2019 it has already updated and implemented its Supervisory Manual and internal methodologies to incorporate prudential concerns related to money laundering and terrorist financing (ML/TF) risks in off-site and on-site supervision and in authorisations procedures.

The updated Supervisory Manual was also applied for the 2020 SREP cycle, in which all the JSTs analysed the prudential impact of various ML/TF warning signals in the SREP assessment (see also paragraph 110 in the report).

Paragraph 108

Please refer to the ECB’s reply to paragraph 106.

Paragraph 109

Please refer to the ECB’s reply to paragraph 106.

Paragraph 121

Please refer to the ECB’s reply to paragraph 102.

Paragraph 122

Please refer to the ECB’s reply to paragraph 106.

Recommendation 4 – ECB

The ECB accepts the recommendation.

Regarding point a) please refer to the ECB’s reply to paragraph 102 for further background on the ongoing and planned development of its internal processes.

Regarding point b) the ECB will update its SREP methodology following the publication of the amended EBA SREP guidelines.

Replies of the EBA

Executive summary


The EBA’s legal AML/CFT mandate and powers were expanded in 2020 to tackle ML/TF risk across all areas of financial supervision and across all sectors. The focus of our work has been and continues to be to strengthen AML/CFT supervision in the EU through setting the right standards and working constructively with competent authorities to achieve supervisory convergence. Breach of Union law investigations are one tool, which the EBA has used, alongside other tools, but they are not the main driver of the EBA’s AML/CFT work.


The reforms, which took effect on 1 January 2020, have reduced institutional fragmentation by giving the leading, coordinating and monitoring role on AML/CFT to the EBA. Nevertheless, AML/CFT supervision remains allocated to national supervisors operating under a Union legislative framework which is minimum-harmonizing, high-level, provides just two technical standards empowerments neither of which concerns core supervisory practices, and is transposed in different ways by Member States. There are therefore limits to what the EBA can achieve by way of harmonization and convergence under the current AML/CFT framework.


We welcome the finding that EBA staff carried out thorough BUL investigations.

Since the ESAs Review introduced new conflict of interest requirements from 1 January 2020 which require Board members to refrain from participating in and voting on Board agenda items on which they are conflicted. In implementing those provisions, the EBA extended conflict of interest requirements to BUL Panel members. The EBA will review those revised procedures to identify what further amendments may be brought forward to further ensure that the deliberative process is not affected by conflicts of interest.

The EBA has issued guidance to supervisors in the form of two technical standards, four guidelines and eight opinions on AML/CFT-related issues to-date, either on its own or jointly with ESMA and EIOPA. These legal instruments include guidelines on risk-based AML/CFT supervision and the assessment of ML/TF risks.

The minimum harmonization nature of relevant provisions in the AMLD has led to divergent approaches in Member States; EBA guidelines cannot overcome national law and divergent national laws limit the degree of convergence that our guidelines can achieve.

  1. The EBA accepts this recommendation. EBA staff will review procedures implemented since the ESAs Review in January 2020 in order to reinforce the independence of panel members.
  2. The EBA accepts the need to complement the ESAs’ 2019 AML/CFT cooperation guidelines that address AML/CFT supervisors with AML/CFT cooperation guidelines that address prudential supervisors. It now has the legal basis to do so, further to amendments of Directive 2013/36/EU (as amended by Directive (EU) 2019/878 (CRDV)).



The EBA's work has included issuing two regulatory technical standards, four guidelines and eight opinions to date, such as guidelines on risk-based AML/CFT supervision, on ML/TF risk factors and on supervisory cooperation (AML/CFT colleges), and three opinions on ML/TF risks affecting the EU’s financial sector. This is in addition to reports on a diverse range of issues such as the EBA’s assessment of supervisor’s approaches to AML/CFT supervision, the functioning of AML/CFT colleges and the future legal and regulatory AML/CFT framework.



The EBA concluded the first request received from the Commission with the adoption of a BUL recommendation. After receiving further requests, the EBA kept the Commission informed of its prioritisation and progress.

Time was taken in closing cases due to multiple requests for complex investigations involving prudential and ML/TF supervision of individual banks by several supervisors over a number of years and under changing legislative regimes, and due to the EBA prioritising them in line with available resources. Further time was necessary to consider the implications of the closure of one of those cases for the remaining cases that had been deprioritised, and the EBA accepts that earlier formal communication could have been useful.

The EBA’s BUL investigation power is, however, without prejudice to the Commission’s power to take action under Article 258 TFEU where it considers that a Member State has failed to fulfil an obligation under the Treaties.


The EBA welcomes the finding that the EBA carried out comprehensive investigations in the two cases referred to.


On 1 January 2020, the ESAs Review introduced additional conflict of interest requirements. The EBA extended those requirements to BUL Panel members.

At the time of the deliberative process in question, the EBA’s policies and procedures on conflicts of interest and BUL investigations did not make provision in relation to contact with BUL Panel members. Nevertheless, when necessary panel members have been advised against accepting attempts to influence them in their role as a Panel member.


The Commission representative was informed of the Board’s decision immediately after the restricted agenda item had concluded. The EBA published a press release announcing the closure of the investigation and rejection of a proposal for a breach of Union law recommendation the day after the vote was taken.


The EBA notes that it has adopted breach of Union law recommendations even before the latest adjustments to its governance, including in relation to ML/TF supervision.

The governance of the EBA is a matter for the co-legislators. The EBA fully implemented the ESAs Review adjustments to the EBA’s governance, which exclude conflicted members of the Board of Supervisors from participating in the discussion of, and voting on, relevant agenda items. The EBA extended those provisions to bodies, which prepare decisions for the Board of Supervisors, including the new Anti-Money Laundering Standing Committee and BUL panels.


The EBA prefers to have as full input into its Board discussions as possible. It assesses in each case whether the sensitivity and confidential nature of the information concerned and the related professional secrecy rules require the Commission and other non-voting members to be excluded.

The EBA provided the draft recommendation following correspondence with the Commission to establish the appropriate legal basis.


Since 1 January 2020, the EBA Regulation formally requires the EBA to outline how it intends to proceed with the case. Before this date, the EBA nevertheless provided such an outline through informal exchanges, informing Commission staff how it had prioritised the cases referred to it and enabling Commission staff to express any expectations.


It is the role and responsibility of the Board of Supervisors to discuss and decide on proposals made by the BUL panel. The EBA’s breach of Union law July 2018 recommendation demonstrates that the BUL mechanism can be effective and in the EU interest where clear failures to comply with Union law exist and recommendations can be made to rectify the situation.


The EBA notes that the current, minimum harmonisation, legal framework and the resultant divergence of national approaches limit the degree of convergence its guidelines can achieve.

The EBA agrees, based on its own findings, that national competent authorities’ approaches to assessing ML/TF risk associated with individual financial institutions under their supervision are not always effective.

The EBA has taken steps to address this in updates to its guidance on risk-based AML/CFT supervision, which are currently under consultation.


The EBA would like to specify that under the initial SREP Guidelines, prudential supervisors could still incorporate AML related risks into the assessment in as far as they affected any of the SREP elements.

The 2018 SREP guidelines amendments preceded the legislative changes to the prudential legislative framework to expressly integrate ML/TF risk. Increasingly harmonized supervisory practices were developed by the EBA, as shown by the subsequent opinions in this area, once the legal basis was set by the CRDV.


The EBA notes that the current, minimum harmonisation, legal framework and the resultant divergence of national approaches limit the degree of convergence its guidelines can achieve.

Nevertheless, following the Council action plan and the CRDV, the EBA issued two Opinions with increasing level of detail on the incorporation if ML/TF risks in SREP. The EBA will shortly consult on its revised SREP Guidelines that include a harmonised, more integrated set of provisions that will allow prudential supervisors to reflect the prudential implications of ML/TF risks under SREP in a consistent manner.

Conclusions and recommendations

Recommendation 2 – The Commission should ensure the consistent and immediate effect of AML/CFT legislation 119

Paragraph 119 summarises certain statements in the preceding paragraphs. Accordingly, the EBA refers to its comments in reply to each of those statements made above.


As noted in paragraph 86, the EBA’s breach of Union law July 2018 recommendation demonstrates that the BUL mechanism can be effective.

The EBA also uses other tools to address supervisory convergence such as AML/CFT supervision reviews and, since 2020, requests to competent authorities to carry out AML/CFT investigations.

The EBA shares the general view that the uniform application of EU law in relation to AML/CFT obligations would be improved by further use of regulations over directives and providing technical standards mandates to minimise difficulties caused by different national transpositions.

Recommendation 3 – The EBA and Commission should make better use of their BUL powers for ML/TF
  • The EBA accepts this recommendation. We acknowledge the benefits of formalising the prioritisation choices that it communicated to the Commission, including where delays may arise because resource limitations prevent cases from being investigated immediately but closing the case without investigation would also be undesirable.
  • The EBA accepts this recommendation. EBA staff will review procedures implemented since the ESAs Review in January 2020 in order to reinforce the independence of panel members.
Recommendation 4 – EBA and ECB should work to better incorporate ML/TF risk into prudential supervision
  1. The EBA accepts the recommendation. The EBA is developing revised SREP Guidelines to provide more detailed guidance. The EBA aims to publish revised guidelines for consultation by July 2021.
  2. The EBA accepts the recommendation. Updated guidelines are currently under consultation and will be finalised once the public consultation closes, on 17 June 2021. The guidelines will provide greater consistency in AML/CFT assessments of supervised entities by addressing challenges in the implementation of the risk-based approach to AML/CFT supervision identified during EBA reviews of competent authorities carried out in 2019.
  3. The EBA accepts the recommendation. The EBA will shortly consult on guidelines, which will detail the types of information to be exchanged by authorities, stress the importance of the timeliness of information sharing, and establish mechanisms to ensure that it is achieved.

Audit team

The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.

This performance audit was carried out by Audit Chamber IV Regulation of markets and competitive economy, headed by ECA Member Alex Brenninkmeijer. The audit was led by ECA Member Mihails Kozlovs, supported by Edite Dzalbe, Head of Private Office and Laura Graudina, Private Office Attaché; Zacharias Kolias, Principal Manager; Shane Enright, Head of Task; Giorgos Tsikkos, Helmut Kern, Marc Hertgen, Marion Schiefele, Katja Mravlak and Nadiya Sultan, Auditors; Andreea-Maria Feipel-Cosciug, Lawyer. Michael Pyper provided linguistic support.


1 See Eurostat’s ‘Money laundering in Europe’ (2013).

2 The EBA recently concluded that “the same breach by the same financial institution is therefore likely to trigger the imposition of different sanctions and measures, depending on which competent authority is responsible for taking enforcement action, or no sanctions or measures at all. ”EBA Report on European Commission’s call for advice on the future EU legal framework on AML/CFT”, September 2020, paragraph 88, p. 23.

3 This can lead to the failure of a bank.

4 In January 2020, DG FISMA took over AML/CFT responsibility from the Commission’s Directorate General for Justice and Consumers (DG JUST).

5 This has been highlighted by the Basel Institute of Governance in its Basel AML Index: Ranking money laundering and terrorist financing risks around the world (2020 edition, p. 4): “This poor performance is consistent with breaches of AML provisions in European banks over the last few years […] have raised alarm about the quality of banking and non-banking supervision related to AML/CFT.”

6 European Commission, “Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing, May 2020.

7 European Parliament, Resolution on a comprehensive Union policy on preventing money laundering and terrorist financing – the Commission’s Action Plan and other recent developments, July 2020.

8 Council of the EU, Council Conclusions on anti-money laundering and countering the financing of terrorism, November 2020.

9 FATF Recommendations 2012, as amended June 2019.

10 Basel Committee on Banking Supervision, “Introduction of guidelines on interaction and cooperation between prudential and AML/CFT supervision”, and “Core Principles for Effective Banking Supervision”.

11 Under EU Directives 2015/849 (“AMLD4”) and 2018/843 (“AMLD5”), Article 9.

12 Treaty on the Functioning of the European Union, Article 290.

13 The term “third country” refers to jurisdictions (countries and territories) outside the EU.

14 Commission, “Methodology for identifying high risk third countries under Directive (EU) 2015/849”.

15 Scale from 1 (low significance) to 4 (high significance).

16 Commission, “Report on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities” section 4 – Recommendations.

17 AMLD5, Article 6(2)(b) and AMLD5, Article 44; these obligations refer to the Commission, which may include the responsibilities of Eurostat and/or other DGs such as FISMA.

18 These are Commission powers under TFEU Articles 258 and 260.

19 This is the Commission’s responsibility under TEU Article 17.

20 Article 13 on customer due diligence measures; Article 18 on enhanced customer due diligence; Article 30 on beneficial ownership information and central register; Article 45 on the additional measures in case of the application of the third country law and Article 50 on cooperation with ESAs.

21 For more background see ECA review 07/2018”Putting EU law into practice: The European Commission’s oversight responsibilities under Article 17(1) of the Treaty on European Union”.

22 25 % replied that workshops were “very useful” and 60 % replied “somewhat useful”.

23 Furthermore, in our survey, 12 out of 20 Member States (60 %) declared that informal contacts, e.g. bilateral meetings with the Commission, were “very useful”.

24 One week later, six Member States had declared complete transposition and 15 Member States not yet notified any measure.

25 Commission, “Better Regulation guideline, Toolbox No 37”, p. 285.

26 As of September 2020.

27 Commission, “Better Regulation guideline, Toolbox No 37”.

28 Transposition checks start upon the expiry of the transposition deadline.

29 In line with the Commission, Better Regulation guideline, Toolbox 37: “The Commission aims at completing the transposition check within six months after the transposition deadline expires. If Member States fail to notify the transposition measures by the deadline, an infringement procedure will be launched as soon as possible. In that case, the six-month period will start when the measures are notified”. As the end of this period is not indicated in the Better Regulation, we calculated it from the transposition deadline to the initiation of the infringement procedure (countries 1 and 3) and in a case of a missing declaration (country 2) from first notification until the closure of the case.

30 Idem.

31 Furthermore, 12 out of 20 Member States (60 %) replying to our survey stated that four or more central government ministries were involved in the transposition of AMLD4.

32 See the “Joint Political Declaration of 28 September 2011 of Member States and the Commission on explanatory documents”.

33 Court of Justice of the European Union, judgment of 8 July 2019 in Case C-543/17, Commission v Belgium; reiterated in judgment of 16 July 2020, Commission v Ireland, C‑550/18, ECLI:EU:C:2020:564, paragraph 74.

34 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, OJ L 331, 15.12.2010, pp. 12-47, as lastly amended by Regulation (EU) 2019/2175 of the European Parliament and of the Council of 18 December 2019.

35 Under Article 17(2) of the EBA Regulation.

36 Commission, Report to the European Parliament and the Council on the assessment of recent alleged money laundering cases involving EU credit institutions, 2019.

37 Commission, Report to the European Parliament and the Council on the operation of the European Supervisory Authorities (ESAs) and the European System of Financial Supervision (ESFS), 2014.

38 Court of Auditors Special report 10/2019 EU-wide stress tests for banks: unparalleled amount of information on banks provided but greater coordination and focus on risks needed, paragraph 113.

39 As required under Article 33(2) of Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (the “SSM Regulation” or “SSMR”).

40 Article 127(6) TFEU and recital 28 of the SSMR.

41 Recital 29 of the SSMR.

42 The legislation did not simultaneously provide for corresponding exemptions from the professional secrecy regime. Recital 19 of AMLD5 acknowledges this stating that: “the exchange of confidential information and collaboration between AML/CFT competent authorities supervising credit and financial institutions and prudential supervisors should not be hampered by legal uncertainty which might arise as a result of the absence of explicit provisions in this field. Clarification of the legal framework is even more important since prudential supervision has, in a number of cases, been entrusted to non-AML/CFT supervisors, such as the European Central Bank (ECB).”

43 AMLD5 entered into force in June 2018.

44 CRD V entered into force in June 2019.

45 Specifically, credit institutions from 12 significant supervised groups.

46 EBA, Multilateral Agreement on the practical modalities for exchange of information on AML/CFT between the ECB and CAs, 2019.

47 This issue was also raised in the ECA special report 29/2016 SSM – Good start but further improvements needed, paragraph 185.

48 EBA, Guidelines on the revised common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing, 2018.

49 This was outside our sample period.

50 European Securities and Markets Authority (ESMA).

51 European Insurance and Occupational Pensions Authority (EIOPA).

52 As of September 2020.

53 Duration of the longest infringement procedure.


Event Date
Adoption of Audit Planning Memorandum (APM) / Start of audit 3.3.2020
Official sending of draft report to Commission (or other auditee) 26.3.2021
Adoption of the final report after the adversarial procedure 20.5.2021
Official replies of the Commission and the EEAS received in all languages 24.6.2021
ECB official replies received in all languages 12.5.2021
EBA official replies received in all languages 19.5.2021


12, rue Alcide De Gasperi
1615 Luxembourg

Tel. +352 4398-1
Enquiries: eca.europa.eu/en/Pages/ContactForm.aspx
Website: eca.europa.eu
Twitter: @EUAuditors

More information on the European Union is available on the internet (http://europa.eu).

Luxembourg: Publications Office of the European Union, 2021

PDF ISBN 978-92-847-6228-6 ISSN 1977-5679 doi:10.2865/431649 QJ-AB-21-013-EN-N
HTML ISBN 978-92-847-6208-8 ISSN 1977-5679 doi:10.2865/868602 QJ-AB-21-013-EN-Q


© European Union, 2021.

The reuse policy of the European Court of Auditors (ECA) is implemented by Decision of the European Court of Auditors No 6-2019 on the open data policy and the reuse of documents.

Unless otherwise indicated (e.g. in individual copyright notices), the ECA’s content owned by the EU is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence. This means that reuse is allowed, provided appropriate credit is given and changes are indicated. The reuser must not distort the original meaning or message of the documents. The ECA shall not be liable for any consequences of reuse.

You are required to clear additional rights if a specific content depicts identifiable private individuals, e.g. in pictures of the ECA’s staff or includes third-party works. Where permission is obtained, such permission shall cancel and replace the above-mentioned general permission and shall clearly indicate any restrictions on use.

To use or reproduce content that is not owned by the EU, you may need to seek permission directly from the copyright holders.

Software or documents covered by industrial property rights, such as patents, trade marks, registered designs, logos and names, are excluded from the ECA’s reuse policy and are not licensed to you.

The European Union’s family of institutional Web Sites, within the europa.eu domain, provides links to third-party sites. Since the ECA has no control over them, you are encouraged to review their privacy and copyright policies.

Use of European Court of Auditors’ logo

The European Court of Auditors logo must not be used without the European Court of Auditors’ prior consent.


In person
All over the European Union there are hundreds of Europe Direct Information Centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en

On the phone or by e-mail
Europe Direct is a service that your questions about the European Union. You can contact this service


Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en

EU Publications
You can download or order free and priced EU publications at: https://op.europa.eu/en/web/general-publications/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en)

EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu/homepage.html?locale=en

Open data from the EU
The EU Open Data Portal (https://data.europa.eu/euodp/en/home) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.