Considerations on COM(2021)420 - Prevention of the use of the financial system for the purposes of money laundering or terrorist financing

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
 
(1) Directive (EU) 2015/849 of the European Parliament and of the Council 23 constitutes the main legal instrument for the prevention of the use of the Union financial system for the purposes of money laundering and terrorist financing. That Directive sets out a comprehensive legal framework, which Directive (EU) 2018/843 of the European Parliament and the Council 24 further strengthened by addressing emerging risks and increasing transparency of beneficial ownership. Notwithstanding its achievements, experience has shown that further improvements should be introduced to adequately mitigate risks and to effectively detect criminal attempts to misuse the Union financial system for criminal purposes.

(2) The main challenge identified in respect to the application of the provisions of Directive (EU) 2015/849 laying down obligations for private sector actors, the so-called obliged entities, is the lack of direct applicability of those rules and a fragmentation of the approach along national lines. Whereas those rules have existed and evolved over three decades, they are still implemented in a manner not fully consistent with the requirements of an integrated internal market. Therefore, it is necessary that rules on matters currently covered in Directive (EU) 2015/849 which may be directly applicable by the obliged entities concerned are addressed in a new Regulation in order to achieve the desired uniformity of application.

(3) This new instrument is part of a comprehensive package aiming at strengthening the Union’s AML/CFT framework. Together, this instrument, Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive - COM/2021/423 final], Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847 - COM/2021/422 final] and Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final] will form the legal framework governing the AML/CFT requirements to be met by obliged entities and underpinning the Union’s AML/CFT institutional framework, including the establishment of an Authority for anti-money laundering and countering the financing of terrorism (‘AMLA’).

(4) Money laundering and terrorist financing are frequently carried out in an international context. Measures adopted at Union level, without taking into account international coordination and cooperation, would have very limited effect. The measures adopted by the Union in that field should therefore be compatible with, and at least as stringent as actions undertaken at international level. Union action should continue to take particular account of the Financial Action Task Force (FATF) Recommendations and instruments of other international bodies active in the fight against money laundering and terrorist financing. With a view to reinforcing the efficacy of the fight against money laundering and terrorist financing, the relevant Union legal acts should, where appropriate, be aligned with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by the FATF in February 2012 (the ‘revised FATF Recommendations’) and the subsequent amendments to such standards.

(5) Since the adoption of Directive (EU) 2015/849, recent developments in the Union’s criminal law framework have contributed to strengthening the prevention and fight against money laundering, its predicate offences and terrorist financing. Directive (EU) 2018/1673 of the European Parliament and of the Council 25 has led to a common understanding of the money laundering crime and its predicate offences. Directive (EU) 2017/1371 of the European Parliament and of the Council 26 defined financial crimes affecting the Union’s financial interest, which should also be considered predicate offences to money laundering. Directive (EU) 2017/541 of the European Parliament and of the Council 27 has achieved a common understanding of the crime of terrorist financing. As those concepts are now clarified in Union criminal law, it is no longer needed for the Union’s AML/CFT rules to define money laundering, its predicate offences or terrorist financing. Instead, the Union’s AML/CFT framework should be fully coherent with the Union’s criminal law framework.

(6) Technology keeps evolving, offering opportunities to the private sector to develop new products and systems to exchange funds or value. While this is a positive phenomenon, it may generate new money laundering and terrorist financing risks, as criminals continuously manage to find ways to exploit vulnerabilities in order to hide and move illicit funds around the world. Crypto-assets service providers and crowdfunding platforms are exposed to the misuse of new channels for the movement of illicit money and are well placed to detect such movements and mitigate risks. The scope of Union legislation should therefore be expanded to cover these entities, in line with the recent developments in FATF standards in relation to crypto-assets.

(7) The institutions and persons covered by this Regulation play a crucial role as gatekeepers of the Union’s financial system and should therefore take all necessary measures necessary to implement the requirements of this Regulation with a view to preventing criminals from laundering the proceeds of their illegal activities or from financing terrorist activities. Measures should also be put in the place to mitigate any risk of non-implementation or evasion of targeted financial sanctions.

(8) Financial transactions can also take place within the same group as way of managing group finances. However, such transactions are not undertaken vis-à-vis customers and do not require the application of AML/CFT measures. In order to ensure legal certainty, it is necessary to recognise that this Regulation does not apply to financial activities or other financial services which are provided by members of a group to other members of that group.

(9) Independent legal professionals should be subject to this Regulation when participating in financial or corporate transactions, including when providing tax advice, where there is the risk of the services provided by those legal professionals being misused for the purpose of laundering the proceeds of criminal activity or for the purpose of terrorist financing. There should, however, be exemptions from any obligation to report information obtained before, during or after judicial proceedings, or in the course of ascertaining the legal position of a client, which should be covered by the legal privilege. Therefore, legal advice should remain subject to the obligation of professional secrecy, except where the legal professional is taking part in money laundering or terrorist financing, the legal advice is provided for the purposes of money laundering or terrorist financing, or where the legal professional knows that the client is seeking legal advice for the purposes of money laundering or terrorist financing.

(10) In order to ensure respect for the rights guaranteed by the Charter of Fundamental Rights of the European Union (the ‘Charter’), in the case of auditors, external accountants and tax advisors, who, in some Member States, are entitled to defend or represent a client in the context of judicial proceedings or to ascertain a client's legal position, the information they obtain in the performance of those tasks should not be subject to reporting obligations.

(11) Directive (EU) 2018/843 was the first legal instrument to address the risks of money laundering and terrorist financing posed by crypto-assets in the Union. It extended the scope of the AML/CFT framework to two types of crypto-assets services providers: providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers. Due to rapid technological developments and the advancement in FATF standards, it is necessary to review this approach. A first step to complete and update the Union legal framework has been achieved with Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final], which set requirements for crypto-asset service providers wishing to apply for an authorisation to provide their services in the single market. It also introduced a definition of crypto-assets and crypto-assets services providers encompassing a broader range of activities. Crypto-asset service providers covered by Regulation [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 - COM/2020/593 final] should also be covered by this Regulation, to mitigate any risk of misuse of crypto-assets for money laundering or terrorist financing purposes.

(12) Crowdfunding platforms’ vulnerabilities to money laundering and terrorist financing risks are horizontal and affect the internal market as a whole. To date, diverging approaches have emerged across Member States as to the management of those risks. Regulation (EU) 2020/1503 of the European Parliament and of the Council 28 harmonises the regulatory approach for business investment and lending-based crowdfunding platforms across the Union and ensures that adequate and coherent safeguards are in place to deal with potential money laundering and terrorist financing risks. Among those, there are requirements for the management of funds and payments in relation to all the financial transactions executed on those platforms. Crowdfunding service providers must either seek a license or partner with a payment service provider or a credit institution for the execution of such transactions. The Regulation also sets out safeguards in the authorisation procedure, in the assessment of good repute of management and through due diligence procedures for project owners. The Commission is required to assess by 10 November 2023 in its report on that Regulation whether further safeguards may be necessary. It is therefore justified not to subject crowdfunding platforms licensed under Regulation (EU) 2020/1503 to Union AML/CFT legislation.

(13) Crowdfunding platforms that are not licensed under Regulation (EU) 2020/1503 are currently left either unregulated or to diverging regulatory approaches, including in relation to rules and procedures to tackle anti-money laundering and terrorist financing risks. To bring consistency and ensure that there are no uncontrolled risks in that environment, it is necessary that all crowdfunding platforms that are not licensed under Regulation (EU) 2020/1503 and thus are not subject to its safeguards are subject to Union AML/CFT rules in order to mitigate money laundering and terrorist financing risks.

(14) Directive (EU) 2015/849 set out to mitigate the money laundering and terrorist financing risks posed by large cash payments by including persons trading in goods among obliged entities when they make or receive payments in cash above EUR 10 000, whilst allowing Member States to introduce stricter measures. Such approach has shown to be ineffective in light of the poor understanding and application of AML/CFT requirements, lack of supervision and limited number of suspicious transactions reported to the FIU. In order to adequately mitigate risks deriving from the misuse of large cash sums, a Union-wide limit to large cash transactions above EUR 10 000 should be laid down. As a consequence, persons trading in goods should no longer be subject to AML/CFT obligations.

(15) Some categories of traders in goods are particularly exposed to money laundering and terrorist financing risks due to the high value that the small, transportable goods they deal with contain. For this reason, persons dealing in precious metals and precious stones should be subject to AML/CFT requirements.

(16) Investment migration operators are private companies, bodies or persons acting or interacting directly with the competent authorities of the Member States on behalf of third-country nationals or providing intermediary services to third-country nationals seeking to obtain residence rights in a Member State in exchange of any kind of investments, including capital transfers, purchase or renting of property, investment in government bonds, investment in corporate entities, donation or endowment of an activity contributing to the public good and contributions to the state budget. Investor residence schemes present risks and vulnerabilities in relation to money laundering, corruption and tax evasion. Such risks are exacerbated by the cross-border rights associated with residence in a Member State. Therefore, it is necessary that investment migration operators are subject to AML/CFT obligations. This Regulation should not apply to investor citizenship schemes, which result in the acquisition of nationality in exchange for such investments, as such schemes must be considered as undermining the fundamental status of Union citizenship and sincere cooperation among Member States.

(17) Consumer and mortgage creditors and intermediaries that are not credit institutions or financial institutions have not been subject to AML/CFT requirements at Union level, but have been subject to such obligations in certain Member States due to their exposure to money laundering and terrorist financing risks. Depending on their business model, such consumer and mortgage creditors and intermediaries may be exposed to significant money laundering and terrorist financing risks. It is important to ensure that entities carrying out similar activities that are exposed to such risks are covered by AML/CFT requirements, regardless of whether they qualify as credit institutions or financial institutions. Therefore, it is appropriate to include consumer and mortgage creditors and intermediaries that are not credit institutions or financial institutions but that are, as a result of their activities, exposed to money laundering and terrorist financing risks.

(18) To ensure a consistent approach, it is necessary to clarify which entities in the investment sector are subject to AML/CFT requirements. Although collective investment undertakings already fell within the scope of Directive (EU) 2015/849, it is necessary to align the relevant terminology with the current Union investment fund legislation, namely Directive 2009/65/EC of the European Parliament and of the Council 29 and Directive 2011/61/EU of the European Parliament and of the Council 30 . Because funds might be constituted without legal personality, the inclusion of their managers in the scope of this Regulation is also necessary. AML/CFT requirements should apply regardless of the form in which units or shares in a fund are made available for purchase in the Union, including where units or shares are directly or indirectly offered to investors established in the Union or placed with such investors at the initiative of the manager or on behalf of the manager.

(19) It is important that AML/CFT requirements apply in a proportionate manner and that the imposition of any requirement is proportionate to the role that obliged entities can play in the prevention of money laundering and terrorist financing. To this end, it should be possible for Member States in line with the risk base approach of this Regulation to exempt certain operators from AML/CFT requirements, where the activities they perform present low money laundering and terrorist financing risks and where the activities are limited in nature. To ensure transparent and consistent application of such exemptions across the Union, a mechanism should be put in place allowing the Commission to verify the necessity of the exemptions to be granted. The Commission should also publish such exemptions on a yearly basis in the Official Journal of the European Union.

(20) A consistent set of rules on internal systems and controls that applies to all obliged entities operating in the internal market will strengthen AML/CFT compliance and make supervision more effective. In order to ensure adequate mitigation of money laundering and terrorist financing risks, obliged entities should have in place an internal control framework consisting of risk–based policies, controls and procedures and clear division of responsibilities throughout the organisation. In line with the risk-based approach of this Regulation, those policies, controls and procedures should be proportionate to the nature and size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces.

(21) An appropriate risk-based approach requires obliged entities to identify the inherent risks of money laundering and terrorist financing that they face by virtue of their business in order to mitigate them effectively and to ensure that their policies, procedures and internal controls are appropriate to address those inherent risks. In doing so, obliged entities should take into account the characteristics of their customers, the products, services or transactions offered, the countries or geographical areas concerned and the distribution channels used. In light of the evolving nature of risks, such risk assessment should be regularly updated.

(22) It is appropriate to take account of the characteristics and needs of smaller obliged entities, and to ensure treatment which is appropriate to their specific needs, and the nature of the business. This may include exempting certain obliged entities from performing a risk assessment where the risks involved in the sector in which the entity operates are well understood.

(23) The FATF has developed standards for jurisdictions to identify, and assess the risks of potential non-implementation or evasion of the targeted financial sanctions related to proliferation financing, and to take action to mitigate those risks. Those new standards introduced by the FATF today do not substitute nor undermine the existing strict requirements for countries to implement targeted financial sanctions to comply with the relevant United Nations Security Council Regulations relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing. Those existing obligations, as implemented at Union level by Council Decisions 2010/413/CFSP 31 and (CFSP) 2016/849 32 as well as by Council Regulations (EU) No 267/2012 33 and (EU) 2017/1509 34 , remain strict rule-based obligations binding on all natural and legal persons within the Union.

(24) In order to reflect the latest developments at international level, a requirement has been introduced by this Regulation to identify, understand, manage and mitigate risks of potential non-implementation or evasion of proliferation financing-related targeted financial sanctions at obliged entity level.

(25) It is important that obliged entities take all measures at the level of their management to implement internal policies, controls and procedures and to implement AML/CFT requirements. While a person at management level should be identified as being responsible for implementing the obliged entity’s policies, controls and procedures, the responsibility for the compliance with AML/CFT requirements should rest ultimately with the governing body of the entity. Tasks pertaining to the day-to-day implementation of the obliged entity’s AML/CFT policies, controls and procedures should be entrusted to a compliance officer.

(26) For effective implementation of AML/CFT measures, it is also vital that the employees of obliged entities, as well as their agents and distributors, who have a role in their implementation understand the requirements and the internal policies, controls and procedures in place in the entity. Obliged entities should put in place measures, including training programmes, to this effect.

(27) Individuals entrusted with tasks related to an obliged entity’s compliance with AML/CFT requirements should undergo assessment of their skills, knowledge, expertise, integrity and conduct. Performance by employees of tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to customers with whom they have a close private or professional relationship can lead to conflicts of interests and undermine the integrity of the system. Therefore, employees in such situations should be prevented from performing any tasks related to the obliged entity’s compliance with the AML/CFT framework in relation to such customers.

(28) The consistent implementation of group-wide AML/CFT policies and procedures is key to the robust and effective management of money laundering and terrorist financing risks within the group. To this end, group-wide policies, controls and procedures should be adopted and implemented by the parent undertaking. Obliged entities within the group should be required to exchange information when such sharing is relevant for preventing money laundering and terrorist financing. Information sharing should be subject to sufficient guarantees in terms of confidentiality, data protection and use of information. AMLA should have the task of drawing up draft regulatory standards specifying the minimum requirements of group-wide procedures and policies, including minimum standards for information sharing within the group and the role and responsibilities of parent undertakings that are not themselves obliged entities.

(29) In addition to groups, other structures exist, such as networks or partnerships, in which obliged entities might share common ownership, management and compliance controls. To ensure a level playing field across the sectors whilst avoiding overburdening it, AMLA should identify those situations where similar group-wide policies should apply to those structures.

(30) There are circumstances where branches and subsidiaries of obliged entities are located in third countries where the minimum AML/CFT requirements, including data protection obligations, are less strict than the Union AML/CFT framework. In such situations, and in order to fully prevent the use of the Union financial system for the purposes of money laundering and terrorist financing and to ensure the highest standard of protection for personal data of Union citizens, those branches and subsidiaries should comply with AML/CFT requirements laid down at Union level. Where the law of a third country does not permit compliance with those requirements, for example because of limitations to the group's ability to access, process or exchange information due to an insufficient level of data protection or banking secrecy law in the third country, obliged entities should take additional measures to ensure the branches and subsidiaries located in that country effectively handle the risks. AMLA should be tasked with developing draft technical standards specifying the type of such additional measures.

(31) Customer due diligence requirements are essential to ensure that obliged entities identify, verify and monitor their business relationships with their clients, in relation to the money laundering and terrorist financing risks that they pose. Accurate identification and verification of data of prospective and existing customers are essential for understanding the risks of money laundering and terrorist financing associated with clients, whether they are natural or legal persons.

(32) It is necessary to achieve a uniform and high standard of customer due diligence in the Union, relying on harmonised requirements for the identification of customers and verification of their identity, and reducing national divergences to allow for a level playing field across the internal market and for a consistent application of provisions throughout the Union. At the same time, it is essential that obliged entities apply customer due diligence requirements in a risk-based manner. The risk-based approach is not an unduly permissive option for obliged entities. It involves the use of evidence-based decision-making in order to target more effectively the risks of money laundering and terrorist financing facing the Union and those operating within it.

(33) Obliged entities should not be required to apply due diligence measures on customers carrying out occasional or linked transactions below a certain value, unless there is suspicion of money laundering or terrorist financing. Whereas the EUR 10 000 threshold applies to most occasional transactions, obliged entities which operate in sectors or carry out transactions that present a higher risk of money laundering and terrorist financing should be required to apply customer due diligence for transactions with lower thresholds. To identify the sectors or transactions as well as the adequate thresholds for those sectors or transactions, AMLA should develop dedicated draft regulatory technical standards.

(34) Some business models are based on the obliged entity having a business relationship with a merchant for offering payment initiation services through which the merchant gets paid for the provision of goods or services, and not with the merchant’s customer, who authorises the payment initiation service to initiate a single or one-off transaction to the merchant. In such a business model, the obliged entity’s customer for the purpose of AML/CFT rules is the merchant, and not the merchant’s customer. Therefore, customer due diligence obligations should be applied by the obliged entity vis-a-vis the merchant.

(35) Directive (EU) 2015/849, despite having harmonised the rules of Member States in the area of customer identification obligations to a certain degree, did not lay down detailed rules in relation to the procedures to be followed by obliged entities. In view of the crucial importance of this aspect in the prevention of money laundering and terrorist financing, it is appropriate, in accordance with the risk-based approach, to introduce more specific and detailed provisions on the identification of the customer and on the verification of the customer’s identity, whether in relation to natural or legal persons, legal arrangements such as trusts or entities having legal capacity under national law.

(36) Technological developments and progress in digitalisation enable a secure remote or electronic identification and verification of prospective and existing customers and can facilitate the remote performance of customer due diligence. The identification solutions as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council and the proposal for an amendment to it in relation to a framework for a European Digital Identity 35 enable secure and trusted means of customer identification and verification for both prospective and existing customers and can facilitate the remote performance of customer due diligence. The electronic identification as set out in that Regulation should be taken into account and accepted by obliged entities for the customer identification process. These means of identification may present, where appropriate risk mitigation measures are in place, a standard or even low level of risk.

(37) To ensure that the AML/CFT framework prevents illicit funds from entering the financial system, obliged entities should carry out customer due diligence before entering into business relationships with prospective clients, in line with the risk-based approach. Nevertheless, in order not to unnecessarily delay the normal conduct of business, obliged entities may collect the information from the prospective customer during the establishment of a business relationship. Credit and financial institutions may obtain the necessary information from the prospective customers once the relationship is established, provided that transactions are not initiated until the customer due diligence process is successfully completed.

(38) Depositors whose funds are the proceeds of money laundering should be excluded from repayment by a deposit guarantee scheme. To prevent that illicit funds are reimbursed to such depositors, credit institutions should, under the oversight of the supervisors, perform customer due diligence of their clients where the credit institutions have been determined failing or likely to fail, or when deposits are defined as unavailable. Credit institutions should report any suspicious transactions identified in the performance of such customer due diligence to the FIU.

(39) The customer due diligence process is not limited to the identification and verification of the customer’s identity. Before entering into business relationships or carrying out occasional transactions, obliged entities should also assess the purpose and nature of a business relationship. Pre-contractual or other information about the proposed product or service that is communicated to the prospective customer may contribute to the understanding of that purpose. Obliged entities should always be able to assess the purpose and nature of a prospective business relationship in an unambiguous manner. Where the offered service or product enables customers to carry out various types of transactions or activities, obliged entities should obtain sufficient information on the intention of the customer regarding the use to be made of that relationship.

(40) To ensure the effectiveness of the AML/CFT framework, obliged entities should regularly review the information obtained from their customers, in accordance with the risk-based approach. Obliged entities should also set up a monitoring system to detect atypical transactions that might raise money laundering or terrorist financing suspicions. To ensure the effectiveness of the transaction monitoring, obliged entities’ monitoring activity should in principle cover all services and products offered to customers and all transactions which are carried out on behalf of the costumer or offered to the customer by the obliged entity. However, not all transactions need to be scrutinised individually. The intensity of the monitoring should respect the risk-based approach and be designed around precise and relevant criteria, taking account, in particular, of the characteristics of the customers and the risk level associated with them, the products and services offered, and the countries or geographical areas concerned. AMLA should develop guidelines to ensure that the intensity of the monitoring of business relationships and of transactions is adequate and proportionate to the level of risk.

(41) In order to ensure consistent application of this Regulation, AMLA should have the task of drawing up draft regulatory technical standards on customer due diligence. Those regulatory technical standards should set out the minimum set of information to be obtained by obliged entities in order to enter into new business relationships with customers or assess ongoing ones, according to the level of risk associated with each customer. Furthermore, the draft regulatory technical standards should provide sufficient clarity to allow market players to develop secure, accessible and innovative means of verifying customers’ identity and performing customer due diligence, also remotely, while respecting the principle of technology neutrality. The Commission should be empowered to adopt those draft regulatory technical standards. Those specific tasks are in line with the role and responsibilities of AMLA as provided in Regulation [please insert reference – proposal for establishment of an Anti-Money Laundering Authority - COM/2021/421 final].

(42) The harmonisation of customer due diligence measures should not only seek to achieve consistent, and consistently effective, understanding of the risks associated with an existing or prospective customer regardless of where the business relationship is opened in the Union, and their harmonisation will help to achieve this aim. It should also ensure that the information obtained in the performance of customer due diligence is not used by obliged entities to pursue de-risking practices which may result in circumventing other legal obligations, in particular those laid down in Directive 2014/92 of the European Parliament and of the Council 36 or Directive 2015/2366 of the European Parliament and of the Council 37 , without achieving the Union’s objectives in the prevention of money laundering and terrorist financing. To enable the proper supervision of compliance with the customer due diligence obligations, it is important that obliged entities keep record of the actions undertaken and the information obtained during the customer due diligence process, irrespective of whether a new business relationship is established with them and of whether they have submitted a suspicious transaction report upon refusing to establish a business relationship. Where the obliged entity takes a decision to not enter into a business relationship with a prospective customer, the customer due diligence records should include the grounds for such a decision. This will enable supervisory authorities to assess whether obliged entities have appropriately calibrated their customer due diligence practices and how the entity’s risk exposure evolves, as well as help building statistical evidence on the application of customer due diligence rules by obliged entities throughout the Union.

(43) The approach for the review of existing customers in the current AML/CFT framework is already risk-based. However, given the higher risk of money laundering, its predicate offences and terrorist financing associated with certain intermediary structures, that approach might not allow for the timely detection and assessment of risks. It is therefore important to ensure that clearly specified categories of existing customers are also monitored on a regular basis.

(44) Risk itself is variable in nature, and the variables, on their own or in combination, may increase or decrease the potential risk posed, thus having an impact on the appropriate level of preventive measures, such as customer due diligence measures.

(45) In low risk situations, obliged entities should be able to apply simplified customer due diligence measures. This does not equate to an exemption or absence of customer due diligence measures. It rather consists in a simplified or reduced set of scrutiny measures, which should however address all components of the standard customer due diligence procedure. In line with the risk-based approach, obliged entities should nevertheless be able to reduce the frequency or intensity of their customer or transaction scrutiny, or rely on adequate assumptions with regard to the purpose of the business relationship or use of simple products. The regulatory technical standards on customer due diligence should set out the specific simplified measures that obliged entities may implement in case of lower risk situations identified in the Supranational Risk Assessment of the Commission. When developing draft regulatory technical standards, AMLA should have due regard to preserving social and financial inclusion.

(46) It should be recognised that certain situations present a greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established with the regular application of customer due diligence requirements, there are cases in which particularly rigorous customer identification and verification procedures are required. Therefore, it is necessary to lay down detailed rules on such enhanced due diligence measures, including specific enhanced due diligence measures for cross-border correspondent relationships.

(47) Cross-border correspondent relationships with a third-country’s respondent institution are characterised by their on-going, repetitive nature. Moreover, not all cross-border correspondent banking services present the same level of money laundering and terrorist financing risks. Therefore, the intensity of the enhanced due diligence measures should be determined by application of the principles of the risk based approach. However, the risk based approach should not be applied when interacting with third-country’s respondent institutions that have no physical presence where they are incorporated. Given the high risk of money laundering and terrorist financing inherent in shell banks, credit institutions and financial institutions should refrain from entertaining any correspondent relationship with such shell banks.

(48) In the context of enhanced due diligence measures, obtaining approval from senior management for establishing business relationships does not need to imply, in all cases, obtaining approval from the board of directors. It should be possible for such approval to be granted by someone with sufficient knowledge of the entity's money laundering and terrorist financing risk exposure and of sufficient seniority to take decisions affecting its risk exposure.

(49) In order to protect the proper functioning of the Union financial system from money laundering and terrorist financing, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission to identify third countries, whose shortcomings in their national AML/CFT regimes represent a threat to the integrity of the Union’s internal market. The changing nature of money laundering and terrorist financing threats from outside the Union, facilitated by a constant evolution of technology and of the means at the disposal of criminals, requires that quick and continuous adaptations of the legal framework as regards third countries be made in order to address efficiently existing risks and prevent new ones from arising. The Commission should take into account information from international organisations and standard setters in the field of AML/CFT, such as FATF public statements, mutual evaluation or detailed assessment reports or published follow-up reports, and adapt its assessments to the changes therein, where appropriate.

(50) Third countries “subject to a call for action” by the relevant international standard-setter (the FATF) present significant strategic deficiencies of a persistent nature in their legal and institutional AML/CFT frameworks and their implementation which are likely to pose a high risk to the Union’s financial system. The persistent nature of the significant strategic deficiencies, reflective of the lack of commitment or continued failure by the third country to tackle them, signal a heightened level of threat emanating from those third countries, which requires an effective, consistent and harmonised mitigating response at Union level. Therefore, obliged entities should be required to apply the whole set of available enhanced due diligence measures to occasional transactions and business relationships involving those high-risk third countries to manage and mitigate the underlying risks. Furthermore, the high level of risk justifies the application of additional specific countermeasures, whether at the level of obliged entities or by the Member States. Such approach would avoid divergence in the determination of the relevant countermeasures, which would expose the entirety of Union’s financial system to risks. Given its technical expertise, AMLA can provide useful input to the Commission in identifying the appropriate countermeasures.

(51) Compliance weaknesses in both the legal and institutional AML/CFT framework and its implementation of third countries which are subject to “increased monitoring” by the FATF are susceptible to be exploited by criminals. This is likely to represent a risk for the Union’s financial system, which needs to be managed and mitigated. The commitment of these third countries to address identified weaknesses, while not eliminating the risk, justifies a mitigating response, which is less severe than the one applicable to high-risk third countries. In these cases, Union’s obliged entities should apply enhanced due diligence measures to occasional transactions and business relationships when dealing with natural persons or legal entities established in those third countries that are tailored to the specific weaknesses identified in each third country. Such granular identification of the enhanced due diligence measures to be applied would, in line with the risk-based approach, also ensure that the measures are proportionate to the level of risk. To ensure such consistent and proportionate approach, the Commission should be able to identify which specific enhanced due diligence measures are required in order to mitigate country-specific risks. Given AMLA’s technical expertise, it can provide useful input to the Commission to identify the appropriate enhanced due diligence measures.

(52) Countries that are not publicly identified as subject to calls for actions or increased monitoring by international standard setters might still pose a threat to the integrity of the Union’s financial system. To mitigate those risks, it should be possible for the Commission to take action by identifying, based on a clear set of criteria and with the support of AMLA, third countries posing a specific and serious threat to the Union’s financial system, which may be due to either compliance weaknesses or significant strategic deficiencies of a persistent nature in their AML/CFT regime, and the relevant mitigating measures. Those third countries should be identified by the Commission. According to the level of risk posed to the Union’s financial system, the Commission should require the application of either all enhanced due diligence measures and country-specific countermeasures, as it is the case for high-risk third countries, or country-specific enhanced customer due diligence, such as in the case of third countries with compliance weaknesses.

(53) Considering that there may be changes in the AML/CFT frameworks of those third countries or in their implementation, for example as result of the country’s commitment to address the identified weaknesses or of the adoption of relevant AML/CFT measures to tackle them, which could change the nature and level of the risks emanating from them, the Commission should regularly review the identification of those specific enhanced due diligence measures in order to ensure that they remain proportionate and adequate.

(54) Potential external threats to the Union’s financial system do not only emanate from third countries, but can also emerge in relation to specific customer risk factors or products, services, transactions or delivery channels which are observed in relation to a specific geographical area outside the Union. There is therefore a need to identify money laundering and terrorist financing trends, risks and methods to which Union’s obliged entities may be exposed. AMLA is best placed to detect any emerging ML/TF typologies from outside the Union, to monitor their evolution with a view to providing guidance to the Union’s obliged entities on the need to apply enhanced due diligence measures aimed at mitigating such risks.

(55) Relationships with individuals who hold or who have held important public functions, within the Union or internationally, and particularly individuals from countries where corruption is widespread, may expose the financial sector to significant reputational and legal risks. The international effort to combat corruption also justifies the need to pay particular attention to such persons and to apply appropriate enhanced customer due diligence measures with respect to persons who are or who have been entrusted with prominent public functions and with respect to senior figures in international organisations. Therefore, it is necessary to specify measures which obliged entities should apply with respect to transactions or business relationships with politically exposed persons. To facilitate the risk-based approach, AMLA should be tasked with issuing guidelines on assessing the level of risks associated with a particular category of politically exposed persons, their family members or persons known to be close associates.

(56) In order to identify politically exposed persons in the Union, lists should be issued by Member States indicating the specific functions which, in accordance with national laws, regulations and administrative provisions, qualify as prominent public functions. Member States should request each international organisation accredited on their territories to issue and keep up to date a list of prominent public functions at that international organisation. The Commission should be tasked with compiling and issuing a list, which should be valid across the Union, as regards persons entrusted with prominent public functions in Union institutions or bodies.

(57) When customers are no longer entrusted with a prominent public function, they can still pose a higher risk, for example because of the informal influence they could still exercise, or because their previous and current functions are linked. It is essential that obliged entities take into consideration those continuing risks and apply one or more enhanced due diligence measures until such time that the individuals are deemed to pose no further risk, and in any case for not less than 12 months following the time when they are no longer entrusted with a prominent public function.

(58) Insurance companies often do not have client relationships with beneficiaries of the insurance policies. However, they should be able to identify higher risk situations, such as when the proceeds of the policy benefit a politically exposed person. To determine whether this is the case, the insurance policy should include reasonable measures to identify the beneficiary, as if this person were a new client. Such measures can be taken at the time of the payout or at the time of the assignment of the policy, but not later.

(59) Close private and professional relationships can be abused for money laundering and terrorist financing purposes. For that reason, measures concerning politically exposed persons should also apply to their family members and persons known to be close associates. Properly identifying family members and persons known to be close associates may depend on the socio-economic and cultural structure of the country of the politically exposed person. Against this background, AMLA should have the task of issuing guidelines on the criteria to use to identify persons who should be considered as close associate.

(60) The requirements relating to politically exposed persons, their family members and close associates, are of a preventive and not criminal nature, and should not be interpreted as stigmatising politically exposed persons as being involved in criminal activity. Refusing a business relationship with a person simply on the basis of a determination that they are a politically exposed person is contrary to the letter and spirit of this Regulation.

(61) In order to avoid repeated customer identification procedures, it is appropriate, subject to suitable safeguards, to allow obliged entities to rely on the customer information collected by other obliged entities. Where an obliged entity relies on another obliged entity, the ultimate responsibility for customer due diligence should remain with the obliged entity which chooses to rely on the customer due diligence performed by another obliged entity. The obliged entity relied upon should also retain its own responsibility for compliance with AML/CFT requirements, including the requirement to report suspicious transactions and retain records.

(62) Obliged entities may outsource tasks relating to the performance of customer due diligence to an agent or external service provider, unless they are established in third countries that are designated as high-risk, as having compliance weaknesses or as posing a threat to the Union’s financial system. In the case of agency or outsourcing relationships on a contractual basis between obliged entities and external service providers not covered by AML/CFT requirements, any AML/CFT obligations upon those agents or outsourcing service providers could arise only from the contract between the parties and not from this Regulation. Therefore, the responsibility for complying with AML/CFT requirements should remain entirely with the obliged entity itself. The obliged entity should in particular ensure that, where an outsourced service provider is involved for the purposes of remote customer identification, the risk-based approach is respected.

(63) In order for third party reliance and outsourcing relationships to function efficiently, further clarity is needed around the conditions according to which reliance takes place. AMLA should have the task of developing guidelines on the conditions under which third-party reliance and outsourcing can take place, as well as the roles and responsibilities of the respective parties. To ensure that consistent oversight of reliance and outsourcing practices is ensured throughout the Union, the guidelines should also provide clarity on how supervisors should take into account such practices and verify compliance with AML/CFT requirements when obliged entities resort to those practices.

(64) The concept of beneficial ownership was introduced by Directive (EU) 2015/849 to increase transparency of complex corporate structures. The need to access accurate, up-to-date and adequate information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind such opaque structures. Member States are currently required to ensure that both corporate and other legal entities as well as express trusts and other similar legal arrangements obtain and hold adequate, accurate and current information on their beneficial ownership. However, the degree of transparency imposed by Member States varies. The rules are subject to divergent interpretations, and this results in different methods to identify beneficial owners of a given entity or arrangement. This is due, inter alia, to inconsistent ways of calculating indirect ownership of an entity or arrangement. This hampers the transparency that was intended to be achieved. It is therefore necessary to clarify the rules to achieve a consistent definition of beneficial owner and its application across the internal market.

(65) Detailed rules should be laid down to identify the beneficial owners of corporate and other legal entities and to harmonise definitions of beneficial ownership. While a specified percentage shareholding or ownership interest does not automatically determine the beneficial owners, it should be one factor among others to be taken into account. Member States should be able, however, to decide that a percentage lower than 25% may be an indication of ownership or control. Control through ownership interest of 25% plus one of the shares or voting rights or other ownership interest should be assessed on every level of ownership, meaning that this threshold should apply to every link in the ownership structure and that every link in the ownership structure and the combination of them should be properly examined.

(66) A meaningful identification of the beneficial owners requires a determination of whether control is exercised via other means. The determination of control through an ownership interest is necessary but not sufficient and it does not exhaust the necessary checks to determine the beneficial owners. The test on whether any natural person exercises control via other means is not a subsequent test to be performed only when it is not possible to determine an ownership interest. The two tests, namely that of control through an ownership interest and that of control via other means, should be performed in parallel. Control through other means may include the right to appoint or remove more than half of the members of the board of the corporate entity; the ability to exert a significant influence on the decisions taken by the corporate entity; control through formal or informal agreements with owners, members or the corporate entities, as well as voting arrangements; links with family members of managers or directors or those owning or controlling the corporate entity; use of formal or informal nominee arrangements.

(67) In order to ensure effective transparency, the widest possible range of legal entities and arrangements incorporated or created in the territory of Member States should be covered by beneficial ownership rules. This includes legal entities other than corporate ones and arrangements similar to trusts. Due to differences in the legal systems of Member States, those broad categories encompass a variety of different organisational structures. Member States should notify to the Commission a list of the types of corporate and other legal entities where the beneficial owners is identified in line with the rules for the identification of beneficial owners for corporate entities. The Commission should make recommendations to Member States on the specific rules and criteria to identify the beneficial owners of legal entities other than corporate entities.

(68) To ensure the consistent identification of beneficial owners of express trusts and similar legal entities, such as foundations, or arrangements, it is necessary to lay down harmonised beneficial ownership rules. Member States are required to notify to the Commission a list of the types of legal entities and legal arrangements similar to express trusts where the beneficial owners is identified according to the identification of beneficial owners for express trusts and similar legal entities or arrangements. The Commission should be empowered to adopt, by means of an implementing act, a list of legal arrangements and legal entities governed by national law of Member States, which have a structure or function similar to express trusts.

(69) A consistent approach to the beneficial ownership transparency regime also requires ensuring that the same information is collected on beneficial owners across the internal market. It is appropriate to introduce precise requirements concerning the information that should be collected in each case. That information includes a minimum set of personal data of the beneficial owner, the nature and extent of the beneficial interest held in the legal entity or legal arrangement and information on the legal entity or legal arrangement.

(70) Underpinning an effective framework on beneficial ownership transparency is the knowledge by corporate and other legal entities of the natural persons who are their beneficial owners. Thus, all corporate and other legal entities in the Union should obtain and hold adequate, accurate and current beneficial ownership information. That information should be retained for five years and the identity of the person responsible for retaining the information should be reported to the registers. That retention period is equivalent to the period for retention of the information obtained within the application of AML/CFT requirements, such as customer due diligence measures. In order to ensure the possibility to cross-check and verify information, for instance through the mechanism of discrepancy reporting, it is justified to ensure that the relevant data retention periods are aligned.

(71) Corporate and other legal entities should take all necessary measures to identify their beneficial owners. There may however be cases where no natural person is identifiable who ultimately owns or exerts control over an entity. In such exceptional cases, provided that all means of identification are exhausted, the senior managing officials can be reported when providing beneficial ownership information to obliged entities in the course of the customer due diligence process or when submitting the information to the central register. Corporate and legal entities should keep records of the actions taken in order to identify their beneficial owners, especially when they rely on this last resort measure, which should be duly justified and documented.

(72) There is a need to ensure a level playing field among the different types of legal forms and to avoid the misuse of trusts and legal arrangements, which are often layered in complex structures to further obscure beneficial ownership. Trustees of any express trust administered in a Member State should thus be responsible for obtaining and holding adequate, accurate and current beneficial ownership information regarding the trust, and for disclosing their status and providing this information to obliged entities carrying out costumer due diligence. Any other beneficial owner of the trust should assist the trustee in obtaining such information.

(73) In view of the specific structure of certain legal entities such as foundations, and the need to ensure sufficient transparency about their beneficial ownership, such entities and legal arrangements similar to trusts should be subject to equivalent beneficial ownership requirements as those that apply to express trusts.

(74) Nominee arrangements may allow the concealment of the identity of the beneficial owners, because a nominee might act as the director or shareholder of a legal entity while the nominator is not always disclosed. Those arrangements might obscure the beneficial ownership and control structure, when beneficial owners do not wish to disclose their identity or role within them. There is thus a need to introduce transparency requirements in order to avoid that these arrangements are misused and to prevent criminals from hiding behind persons acting on their behalf. Nominee shareholders and nominee directors of corporate or other legal entities should maintain sufficient information on the identity of their nominator as well as of any beneficial owner of the nominator and disclose them as well as their status to the corporate or other legal entities. The same information should also be reported by corporate and other legal entities to obliged entities, when customer due diligence measures are performed.

(75) The risks posed by foreign corporate entities and legal arrangements, which are misused to channel proceeds of funds into the Union’s financial system, need to be mitigated. Since beneficial ownership standards in place in third countries might not be sufficient to allow for the same level of transparency and timely availability of beneficial ownership information as in the Union, there is a need to ensure adequate means to identify the beneficial owners of foreign corporate entities or legal arrangements in specific circumstances. Therefore, legal entities incorporated outside the Union and express trusts or similar legal arrangements administered outside the Union should be required to disclose their beneficial owners whenever they operate in the Union by entering into a business relationship with a Union’s obliged entity or by acquiring real estate in the Union.

(76) In order to encourage compliance and ensure an effective beneficial ownership transparency, beneficial ownership requirements need to be enforced. To this end, Member States should apply sanctions for breaches of those requirements. Those sanctions should be effective, proportionate and dissuasive, and should not go beyond what is required to encourage compliance. Sanctions introduced by Member States should have an equivalent deterrent effect across the Union on the breaches of beneficial ownership requirements.

(77) Suspicious transactions, including attempted transactions, and other information relevant to money laundering, its predicate offences and terrorist financing, should be reported to the FIU, which should serve as a single central national unit for receiving and, analysing reported suspicions and for disseminating to the competent authorities the results of its analyses. All suspicious transactions, including attempted transactions, should be reported, regardless of the amount of the transaction. Reported information may also include threshold-based information. The disclosure of information to the FIU in good faith by an obliged entity or by an employee or director of such an entity should not constitute a breach of any restriction on disclosure of information and should not involve the obliged entity or its directors or employees in liability of any kind.

(78) Differences in suspicious transaction reporting obligations between Member States may exacerbate the difficulties in AML/CFT compliance experienced by obliged entities that have a cross-border presence or operations. Moreover, the structure and content of the suspicious transaction reports have an impact on the FIU’s capacity to carry out analysis and on the nature of that analysis, and also affects FIUs’ abilities to cooperate and to exchange information. In order to facilitate obliged entities’ compliance with their reporting obligations and allow for a more effective functioning of FIUs’ analytical activities and cooperation, AMLA should develop draft regulatory standards specifying a common template for the reporting of suspicious transactions to be used as a uniform basis throughout the Union.

(79) FIUs should be able to obtain swiftly from any obliged entity all the necessary information relating to their functions. Their unfettered and swift access to information is essential to ensure that flows of money can be properly traced and illicit networks and flows detected at an early stage. The need for FIUs to obtain additional information from obliged entities based on a suspicion of money laundering or financing of terrorism might be triggered by a prior suspicious transaction report reported to the FIU, but might also be triggered through other means such as the FIU’s own analysis, intelligence provided by competent authorities or information held by another FIU. FIUs should therefore be able, in the context of their functions, to obtain information from any obliged entity, even without a prior report being made. Obliged entities should reply to a request for information by the FIU as soon as possible and, in any case, within five days of receipt of the request. In justified and urgent cases, the obliged entity should be able to respond to the FIU’s request within 24 hours. This does not include indiscriminate requests for information to the obliged entities in the context of the FIU's analysis, but only information requests based on sufficiently defined conditions. An FIU should also be able to obtain such information on a request made by another Union FIU and to exchange the information with the requesting FIU.

(80) For certain obliged entities, Member States should have the possibility to designate an appropriate self-regulatory body to be informed in the first instance instead of the FIU. In accordance with the case-law of the European Court of Human Rights, a system of first instance reporting to a self-regulatory body constitutes an important safeguard for upholding the protection of fundamental rights as concerns the reporting obligations applicable to lawyers. Member States should provide for the means and manner by which to achieve the protection of professional secrecy, confidentiality and privacy.

(81) Where a Member State decides to designate such a self-regulatory body, it may allow or require that body not to transmit to the FIU any information obtained from persons represented by that body where such information has been received from, or obtained on, one of their clients, in the course of ascertaining the legal position of their client, or in performing their task of defending or representing that client in, or concerning, judicial proceedings, including providing advice on instituting or avoiding such proceedings, whether such information is received or obtained before, during or after such proceedings.

(82) Obliged entities should exceptionally be able to carry out suspicious transactions before informing the competent authorities where refraining from doing so is impossible or likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering or terrorist financing operation. However, this exception should not be invoked in relation to transactions concerned by the international obligations accepted by the Member States to freeze without delay funds or other assets of terrorists, terrorist organisations or those who finance terrorism, in accordance with the relevant United Nations Security Council resolutions.

(83) Confidentiality in relation to the reporting of suspicious transactions and to the provision of other relevant information to FIUs is essential in order to enable the competent authorities to freeze and seize assets potentially linked to money laundering, its predicate offences or terrorist financing. A suspicious transaction is not an indication of criminal activity. Disclosing that a suspicion has been reported may tarnish the reputation of the persons involved in the transaction and jeopardise the performance of analyses and investigations. Therefore, obliged entities and their directors and employees should not inform the customer concerned or a third party that information is being, will be, or has been submitted to the FIU, whether directly or through the self-regulatory body, or that a money laundering or terrorist financing analysis is being, or may be, carried out. The prohibition of disclosure should not apply in specific circumstances concerning, for example, disclosures to competent authorities and self-regulatory bodies when performing supervisory functions, or disclosures for law enforcement purposes or when the disclosures take place between obliged entities that belong to the same group.

(84) Criminals move illicit proceeds through numerous intermediaries to avoid detection. Therefore it is important to allow obliged entities to exchange information not only between group members, but also in certain cases between credit and financial institutions and other entities that operate within networks, with due regard to data protection rules.

(85) Regulation (EU) 2016/679 of the European Parliament and of the Council 38 applies to the processing of personal data for the purposes of this Regulation. The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States.

(86) It is essential that the alignment of the AML/CFT framework with the revised FATF Recommendations is carried out in full compliance with Union law, in particular as regards Union data protection law and the protection of fundamental rights as enshrined in the Charter. Certain aspects of the implementation of the AML/CFT framework involve the collection, analysis, storage and sharing of data. Such processing of personal data should be permitted, while fully respecting fundamental rights, only for the purposes laid down in this Regulation, and for carrying out customer due diligence, ongoing monitoring, analysis and reporting of unusual and suspicious transactions, identification of the beneficial owner of a legal person or legal arrangement, identification of a politically exposed person and sharing of information by credit institutions and financial institutions and other obliged entities. The collection and subsequent processing of personal data by obliged entities should be limited to what is necessary for the purpose of complying with AML/CFT requirements and personal data should not be further processed in a way that is incompatible with that purpose. In particular, further processing of personal data for commercial purposes should be strictly prohibited.

(87) The revised FATF Recommendations demonstrate that, in order to be able to cooperate fully and comply swiftly with information requests from competent authorities for the purposes of the prevention, detection or investigation of money laundering and terrorist financing, obliged entities should maintain, for at least five years, the necessary information obtained through customer due diligence measures and the records on transactions. In order to avoid different approaches and in order to fulfil the requirements relating to the protection of personal data and legal certainty, that retention period should be fixed at five years after the end of a business relationship or an occasional transaction.

(88) When the notion of competent authorities refers to investigating and prosecuting authorities, it shall be interpreted as including the central and decentralised levels of the European Public Prosecutor's Office (EPPO) with regard to the Member States that participate in the enhanced cooperation on the establishment of the EPPO.

(89) For the purpose of ensuring the appropriate and efficient administration of justice during the period between the entry into force and application of this Regulation, and in order to allow for its smooth interaction with national procedural law, information and documents pertinent to ongoing legal proceedings for the purpose of the prevention, detection or investigation of possible money laundering or terrorist financing, which have been pending in the Member States on the date of entry into force of this Regulation, should be retained for a period of five years after that date, and it should be possible to extend that period for a further five years.

(90) The rights of access to data by the data subject are applicable to the personal data processed for the purpose of this Regulation. However, access by the data subject to any information related to a suspicious transaction report would seriously undermine the effectiveness of the fight against money laundering and terrorist financing. Exceptions to and restrictions of that right in accordance with Article 23 of Regulation (EU) 2016/679 may therefore be justified. The data subject has the right to request that a supervisory authority referred to in Article 51 of Regulation (EU) 2016/679 checks the lawfulness of the processing and has the right to seek a judicial remedy referred to in Article 79 of that Regulation. The supervisory authority may also act on an ex-officio basis. Without prejudice to the restrictions to the right to access, the supervisory authority should be able to inform the data subject that all necessary verifications by the supervisory authority have taken place, and of the result as regards the lawfulness of the processing in question.

(91) Obliged entities might resort to the services of other private operators. However, the AML/CFT framework should apply to obliged entities only, and obliged entities should retain full responsibility for compliance with AML/CFT requirements. In order to ensure legal certainty and to avoid that some services are inadvertently brought into the scope of this regulation, it is necessary to clarify that persons that merely convert paper documents into electronic data and are acting under a contract with an obliged entity, and persons that provide credit institutions or financial institutions solely with messaging or other support systems for transmitting funds or with clearing and settlement systems do not fall within the scope of this Regulation.

(92) Obliged entities should obtain and hold adequate and accurate information on the beneficial ownership and control of legal persons. As bearer shares accord the ownership to the person who possesses the bearer share certificate, they allow the beneficial owner to remain anonymous. To ensure that those shares are not misused for money laundering or terrorist financing purposes, companies - other than those with listed securities on a regulated market or whose shares are issued as intermediated securities - should convert all existing bearer shares into registered shares. In addition, only bearer share warrants in intermediated form should be allowed.

(93) The anonymity of crypto-assets exposes them to risks of misuse for criminal purposes. Anonymous crypto-asset wallets do not allow the traceability of crypto-asset transfers, whilst also making it difficult to identify linked transactions that may raise suspicion or to apply to adequate level of customer due diligence. In order to ensure effective application of AML/CFT requirements to crypto-assets, it is necessary to prohibit the provision and the custody of anonymous crypto-asset wallets by crypto-asset service providers.

(94) The use of large cash payments is highly vulnerable to money laundering and terrorist financing; this has not been sufficiently mitigated by the requirement for traders in goods to be subject to anti-money laundering rules when making or receiving cash payments of EUR 10 000 or more. At the same time, differences in approaches among Member States have undermined the level playing field within the internal market to the detriment of businesses located in Member States with stricter controls. It is therefore necessary to introduce a Union-wide limit to large cash payments of EUR 10 000. Member States should be able to adopt lower thresholds and further stricter provisions.

(95) The Commission should assess the costs, benefits and impacts of lowering the limit to large cash payments at Union level with a view to levelling further the playing field for businesses and reducing opportunities for criminals to use cash for money laundering. This assessment should consider in particular the most appropriate level for a harmonised limit to cash payments at Union level considering the current existing limits to cash payments in place in a large number of Member States, the enforceability of such a limit at Union level and the effects of such a limit on the legal tender status of the euro.

(96) The Commission should also assess the costs, benefits and impacts of lowering the threshold for the identification of beneficial owners when control is exercised through ownership. This assessment should consider in particular the lessons learned from Member States or third countries having introduced lower thresholds.

(97) In order to ensure consistent application of AML/CFT requirements, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Regulation by adopting delegated acts identifying high-risk third countries, third countries with compliance weaknesses and countries that pose a threat to the Union’s financial system and defining harmonised and proportionate enhanced due diligence measures as well as, where relevant, mitigating measures as well as the regulatory technical standards setting out the minimum requirements of group-wide policies, controls and procedures and the conditions under which structures which share common ownership, management or compliance controls are required to apply group-wide policies, controls and procedures, the actions to be taken by groups when the laws of third countries do not permit the application of group-wide policies, controls and procedures and supervisory measures, the sectors and transactions subject to lower thresholds for the performance of customer due diligence and the information necessary for the performance of customer due diligence. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making 39 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(98) In order to ensure uniform conditions for the application of this Regulation, implementing powers should be conferred on the Commission in order to identify legal arrangements similar to express trusts governed by the national laws of Member States as well as to adopt implementing technical standards specifying the format to be used for the reporting of suspicious transactions. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council 40 .

(99) This Regulation respects the fundamental rights and observes the principles recognised by the Charter, in particular the right to respect for private and family life (Article 7 of the Charter), the right to the protection of personal data (Article 8 of the Charter) and the freedom to conduct a business (Article 16 of the Charter).

(100)In accordance with Article 21 of the Charter, which prohibits discrimination based on any grounds, obliged entities should perform risk assessments in the context of customer due diligence without discrimination.

(101)When drawing up a report evaluating the implementation of this Regulation, the Commission should give due consideration to the respect of the fundamental rights and principles recognised by the Charter.

(102)Since the objective of this Regulation, namely to prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

(103)The European Data Protection Supervisor has been consulted in accordance with Article 42 of Regulation (EU) 2018/1725 [and delivered an opinion on ... 41 ].