Legal provisions of COM(2019)282 - Application of Chapter IV of Regulation (EU) 2015/847 on information accompanying transfers of funds - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2019)282 - Application of Chapter IV of Regulation (EU) 2015/847 on information accompanying transfers of funds. |
|---|---|
| document | COM(2019)282  |
| date | June 19, 2019 |
Brussels, 19.6.2019
COM(2019) 282 final
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
on the application of Chapter IV of Regulation (EU) 2015/847 on information accompanying transfers of funds
I.Introduction
Regulation (EU) 2015/847 1 on information accompanying transfers of funds (hereinafter “the Regulation”) together with Directive (EU) 2015/849 2 on preventing the use of the financial system for money laundering or terrorist financing (“AMLD”) constitute a modernised regulatory framework to fight abuses of the financial market, ensuring its safety and integrity and promoting the highest standards for anti-money laundering and counter terrorist financing (“AML/CFT”).
The key objective of the Regulation is to make fund transfers more transparent, thereby facilitating the prevention, detection and investigation of money laundering and terrorist financing. For this purpose, the Regulation imposes a set of obligations on payment service providers with regard to the information on payers and payees that has to accompany transfers of funds. National supervisory authorities are, in turn, in charge of monitoring the compliance of payment service providers with the relevant provisions of the Regulation.
This is regulated in Chapter IV of the Regulation that contains a set of provisions on sanctions and monitoring. It requires Member States to set up a regime of administrative sanctions and measures applicable to breaches of the Regulation, allowing to hold liable both natural and legal persons. Furthermore, this Chapter lists specific breaches that ought to be sanctionable. It also obliges national supervisory authorities to publish sanctions and measures they impose and provides relevant criteria for determination of appropriate sanctions. Finally, Chapter IV requires an establishment of an effective framework for reporting of breaches and compliance monitoring.
Article 22(2) of the Regulation requires that: “After Member States have notified the rules referred to in paragraph 1 of this Article to the Commission and to the Joint Committee of the ESAs in accordance with Article 17(3), the Commission shall submit a report to the European Parliament and to the Council on the application of Chapter IV, with particular regard to cross-border cases.”
This report is prepared for the purposes of Article 22(2). The first part of the report describes the state of play of the implementation by Member States of Chapter IV of the Regulation, focusing on important horizontal implementation issues, common to several Member States. 3 The second part of the report provides an overview of sanctioning activities of different national supervisory authorities. In the drafting of this report, the European Commission (“Commission”) made use of Member States’ notifications submitted to the Commission under Article 17(3) of the Regulation, the assessment of these notifications, and the oral and written input provided by Member States within the framework of the Expert Group on the Prevention of Money Laundering and Terrorist Financing.
II.Implementation of Chapter IV of Regulation 2015/847 on sanctions and monitoring
A.General comments
The Regulation is binding in its entirety and directly applicable in all Member States. However, with regard to Chapter IV, it foresees that certain implementing measures might need to be adopted by Member States. Therefore, Member States were required to notify to the Commission their national rules on administrative sanctions and measures applicable to breaches of this Regulation by 26 June 2017. The Commission assessed the received notifications and concluded that the implementation by Member States of the relevant provisions is overall satisfactory. Nevertheless, the assessment has also identified several shortcomings.
B.Assessment of implementation of individual provisions of Chapter IV
a)Article 17 – Administrative sanctions and measures
Article 17(1) of the Regulation requires Member States to adopt rules on effective, proportionate and dissuasive 4 administrative sanctions and measures applicable to breaches of the Regulation and ensure their implementation. Such sanctions and measures must be consistent with the sanctions set under the AMLD. The Commission found that almost all Member States correctly implemented the main part of this provision. However, several Member States did not correctly implement the second sentence of Article 17(1), with their national legislation either failing to provide for one or more sanctions available under the AMLD or setting insufficient levels for available pecuniary sanctions. With regard to the latter, both inconsistency with the AMLD and non-dissuasiveness of such sanctions were concluded.
The second subparagraph of Article 17(1) allows Member States to not lay down rules on administrative sanctions and measures for breaches of the Regulation that are subject to criminal sanctions under their national law. Only a few Member States relied on this option.
Article 17(2) requires Member States to ensure that administrative sanctions or measures can be applied to the members of the management body and to any other natural person who is responsible for the breach of an obligation imposed on a payment service provider under the Regulation. Almost all Member States have correctly implemented this provision.
Pursuant to Article 17(4), national supervisory authorities, when exercising their functions under the Regulation, should have at their disposal all the necessary supervisory and investigatory powers. While the Regulation does not provide further details, in order to be considered effective, the available supervisory and investigatory powers should typically include a right to request information or submission of documents from payment service providers, launch investigations, proceed with on-site visits, etc. Almost all Member States correctly implemented this provision.
The second sentence of Article 17(4) requires supervisory authorities to cooperate in their enforcement activities and coordinate their actions, which is vital considering the often cross-border nature of money laundering and terrorist financing. Unfortunately, several Members States failed to correctly implemented the cooperation obligation and the vast majority of Member States ignored the coordination duty imposed by the Regulation. A few Member States have not adopted any related implementing measures at all.
Point (5) and point (6) of Article 17 concern the liability of legal persons for breaches listed in Article 18 of the Regulation. 5 More specifically, Article 17(5) requires Member States to ensure that a legal person can be held liable for breaches committed for its benefit by any person having a leading position within the legal person. The Regulation further provides a list of alternative criteria allowing to conclude on a leading position of a natural person. 6 Similarly, under Article 17(6), Member States should ensure that a legal person can be held liable when a lack of supervision or control by a person referred to in Article 17(5) has made it possible to commit a breach referred to in Article 18 by a person under its authority, for the benefit of that legal person. With regard to both points, numerous instances of incorrect implementation were identified. While several Member States did not implement at all these articles, others failed to implement them correctly.
Pursuant to Article 17(7), supervisory authorities should exercise their sanctioning powers directly, in collaboration with other authorities, under their responsibility by delegation to such other authorities, or by application to the competent judicial authorities. Through the notifications, the Commission identified that the supervisory authorities of almost all Member States can exercise their sanctioning powers in a direct manner and many of them can also do it collaboration with other authorities.
b)Article 18 – Specific provisions
Article 18 lists four specific sanctionable breaches of the Regulation, i.e.
(a)repeated or systematic failure by a payment service provider to include the required information on the payer or the payee;
(b)repeated, systematic or serious failure by a payment service provider to retain records;
(c)failure by a payment service provider to implement effective risk-based procedures;
(d)serious failure by an intermediary service provider to comply with the provisions of the Regulation on the detection of missing information on the payer or the payee as well as transfers of funds with missing information on the payer or the payee.
Under Article 18, administrative sanctions and measures applicable to these breaches should include at least those laid down by Article 59(2) and (3) of the AMLD. 7
When implementing this provision, many Member States have gone beyond what is required under Article 18, sanctioning not only the breaches listed under this article, but all breaches of the Regulation. However, several instances of incorrect implementation were identified, as the national legislation of certain Member States fails to provide for either one or several administrative sanctions and measures laid down by the relevant article of the AMLD and the levels of available pecuniary sanctions were found insufficiently high in the case of several national legislations.
c)Article 21 – Reporting of breaches
Article 21(1) of the Regulation requires Member States to establish effective mechanisms encouraging reporting of breaches of the Regulation to national supervisory authorities. These mechanisms should include at least those referred to in Article 61(2) of the AMLD with regard to reporting and protection for employees as well as the accused and other relevant persons. 8 The assessment identified that several Member States failed to implement both this provision of the Regulation and the relevant article of the AMLD. Furthermore, the national legislation of a few Member States does not establish either one or several mechanisms provided for by the AMLD.
Article 21(2) of the Regulation obliges payment service providers to establish, in cooperation with national supervisory authorities, appropriate internal channels for reporting of breaches. These internal reporting channels should be secure, independent, specific and anonymous. While the majority of Member State adopted specific provisions to implement this article, several instances of incorrect implementation were identified, as the national legislation of certain Member States lacks one or several of these safeguards.
d)Article 22 – Monitoring
Finally, pursuant to Article 22(1) of the Regulation, Member States should require national supervisory authorities to monitor and ensure compliance with the Regulation as well as encourage an effective reporting of breaches. Despite an overall satisfactory implementation of this provision, laws of several Member States fail to include compliance monitoring among the duties of their national supervisory authorities. Almost all authorities effectively ensure compliance with the Regulation thanks to their investigatory and sanctioning powers.
C.Identified horizontal implementation issues
When assessing the implementation of Chapter IV of the Regulation, the Commission has identified certain horizontal issues that are common to several Member States.
First, despite the explicit requirement provided for by the Regulation, the implementing legislation of several Member States fails to establish a clear obligation for competent authorities to cooperate with their counterparts in other Member States. National laws of certain Member States only grant their supervisory authorities a right to cooperate, but not an obligation to do so. In addition, a few Member States seem to have incorrectly implemented this obligation as applying between different authorities domestically rather than cross-border. Furthermore, several Member States failed to implement the part of the provision that relates to an obligation of competent authorities to coordinate their actions with regard to cross-border cases.
Several shortcomings regarding the regime of liability of legal persons have also been identified. A general regime allowing to hold liable legal persons cannot be considered a conform implementation of Article 17(5) and (6) of the Regulation. The Regulation requires legal persons to be held liable in two explicitly described case scenarios: 1) when a breach is committed by a person with a leading position within a legal person and 2) when a lack of supervision by a person with a leading position leads to a breach being committed. Thus, a correct implementation must make a clear link between the behaviour of a natural person with a leading position and a liability of a legal person. Furthermore, relevant implementing provisions of certain Member States make this liability applicable to a narrower class of persons than what is required by the Regulation, e.g. by reference to “persons belonging to the management”.
With regard to specific sanctionable breaches, national laws of certain Member States sanction only breaches that are repeated, systematic or serious. However, such implementation is considered as incorrect and partial, as it fails to cover letter (c) of Article 18, concerning “a failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12”.
Several Member States also failed to implement one or several mechanisms encouraging reporting of breaches to national supervisory authorities. The majority of the identified shortcomings concerns the appropriate protection of the accused person, granted by Article 61(2)(c) of the AMLD.
With regard to the safeguards related to internal channels for reporting of breaches, an explicit guarantee of their secure and independent character was missing in national laws of several Member States. In addition, providing simply for confidentiality of reporting cannot be considered as a correct implementation of the anonymity requirement, as protection offered by confidentiality is not equal to that offered by anonymity. In addition, while under Article 21(2) internal reporting channels are to be “proportionate to the nature and size of the payment service providers”, certain Member States failed to establish criteria that took into account both the nature and the size of the provider.
Finally, separate provisions of the Regulation require national supervisory authorities to, on the one hand, monitor compliance and, on the other hand, have investigatory as well as sanctioning powers. The compliance/monitoring obligation covers proactive supervision even in the absence of any reports on potential breaches. Therefore, the scope of this obligation is different from the duty to investigate alleged breaches and sanction actual infringements. Thus, to be considered correct, national implementing provisions should explicitly address all of these elements.
III.Application of Chapter IV of the Regulation by national supervisory authorities
In addition to assessing the implementation of the relevant provisions of Chapter IV, the Commission analysed the practical application of these provisions through a targeted questionnaire addressed to the Member States and an oral discussion with their relevant experts in the context of a meeting of the Expert Group on the Prevention of Money Laundering and Terrorist Financing. Twenty-six Member States submitted their responses to this questionnaire. 9
With regard to the imposition of administrative sanctions and measures, nineteen supervisory authorities reported that no sanctioning decision has been imposed for breaches of the Regulation. Three supervisory authorities do not hold specific data relating to the actions taken under the Regulation.
According to the input received by the Commission, very few supervisory authorities, e.g. the authorities of Croatia and Latvia, have so far imposed any sanctioning decisions for breaches of the Regulation. The sanctions imposed by these authorities consisted of, among other, written warnings and pecuniary sanctions.
With regard to on-going investigations and supervisory actions, several supervisory authorities, e.g. the authorities of Croatia, the Czech Republic, Denmark, Germany, Latvia, Poland and Spain, reported on-going activities.
Many Member States reported the implementation of the publication obligation, with some of them providing data on the publication of sanctioning decisions related to the AML/CFT legal framework. However, the low number of sanctioning decisions related to the Regulation affects the number of relevant publications.
With regard to modalities of the publication, several supervisory authorities reported that the publication takes place “immediately”, “within 24h” or “without delay”, following the adoption of a sanctioning decision. Certain supervisory authorities referred to the final character of decisions as a decisive factor influencing the delay. In fact, only thirteen supervisory authorities publish sanctioning decisions that are subject to appeal. Even fewer supervisory authorities publish decisions imposing measures of an investigatory nature.
Regarding the cooperation between competent authorities of different Member States, the majority of the supervisory authorities declared that if a reported breach had connections to another Member State, they would inform their relevant counterpart. However, most of these authorities further specified that they have not been confronted with such case with regard to the Regulation. Furthermore, no supervisory authority has reported receiving any Regulation-specific cooperation requests. In addition, no supervisory authority has informed the Commission about imposing a sanctioning decision or having dealt with any cross-border cases under the Regulation.
With regard to reporting of breaches, the majority of supervisory authorities stated that no potential breaches of the Regulation have so far been reported to them. One authority, namely the UK Financial Conduct Authority, has informed the Commission about passing on to the European Banking Authority of all three potential breaches of the Regulation it had been made aware of.
Overall, the questionnaire has revealed a rather modest practical application of Chapter IV of the Regulation. However, as rightly pointed out by supervisory authorities of several Member States, both instructiveness and robustness of the gathered data are affected by a difficulty in dissecting the Regulation-specific statistics as well as a relatively recent entry into force of this act.
IV.Conclusion
The Commission finds the implementation by Member States of Chapter IV of the Regulation to be of an overall satisfactory quality. However, the identified shortcomings, e.g. the horizontal problem related to cross-border cooperation, should not be neglected. It is vital to eliminate all legal loopholes, as an effective sanctioning policy is of crucial importance for ensuring compliance with the Regulation.
With regard to the application of the relevant provisions of the Regulation, no major deficiencies have been identified. The answers provided to the Commission’s questionnaire demonstrated an engagement of national competent authorities in supervisory activities regarding both the Regulation and the AMLD. Their modest sanctioning and investigatory activities under the Regulation could result from a general compliance of payment service providers with their legal obligations, but a more long-term monitoring will be necessary to exclude any potential weaknesses of the supervision framework.
Considering an often cross-border nature of money laundering and terrorist financing, it is of utmost importance that the legal obligation of national supervisory authorities to cooperate and coordinate their actions, as provided for by the Regulation, is both correctly implemented and effectively applied in all Member States.
The Commission will continue to support Member States in their implementation efforts and it reserves the right to take further measures to ensure that the Regulation is correctly implemented by all Member States. It is also vital that the national supervisory authorities effectively apply the Regulation and step up their enforcement activities.
(1)
Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, OJ L 141, 5.6.2015, p. 1–18
(2)
Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, OJ L 141, 5.6.2015, p. 73–117
(3)
This is without prejudice to infringement proceedings already launched or to be launched by the Commission against Member States as regards the completeness and conformity of national implementing legislation or the application or implementation of their obligations.
(4)
The assessment of effectiveness, proportionality and dissuasiveness shall take into consideration if penalties are appropriate to ensure compliance with EU law and achieve the desired objective (effectiveness), that the penalties adequately reflect the gravity of the violation and do not go beyond what is necessary to achieve the desired objective (proportionality) and that the penalties have a deterrent effect on an offender, who should be prevented from repeating the offence, and on other potential offenders, who should be prevented from committing the said offence (dissuasiveness).
(5)
For the list of breaches sanctionable under Article 18, please refer to the next section of the report.
(6)
Under Article 17(5), a leading position within a legal person can be based on any of the following:
(a) power to represent the legal person;
(b) authority to take decisions on behalf of the legal person; or
(c) authority to exercise control within the legal person.
(7)
Under Article 59(2) and (3) of Directive (EU) 2015/849, available administrative sanctions and measures should include at least the following:
(a)a public statement which identifies the natural or legal person and the nature of the breach;
(b)an order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;
(c)where an obliged entity is subject to an authorisation, withdrawal or suspension of the authorisation;
(d)a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities;
(e)maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least EUR 1 000 000.
Member States shall provide that, where the obliged entity concerned is a credit institution or financial institution, the following sanctions can also be applied:
(a)in the case of a legal person, maximum administrative pecuniary sanctions of at least EUR 5 000 000 or 10% of the total annual turnover;
(b)in the case of a natural person, maximum administrative pecuniary sanctions of at least EUR 5 000 000.
(8)
Under Article 61(2) of the Directive (EU) 2015/849, the mechanisms encouraging reporting should include at least:
(a)specific procedures for the receipt of reports on breaches and their follow-up;
(b)appropriate protection for employees or persons in a comparable position, of obliged entities who report breaches committed within the obliged entity;
(c)appropriate protection for the accused person;
(d)protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for a breach, in compliance with the principles laid down in Directive 95/46/EC;
(e)clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches, unless disclosure is required by national law in the context of further investigations or subsequent judicial proceedings.
(9)
Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, the Slovak Republic, Slovenia, Spain, Sweden, the United Kingdom.