How will the anti-money laundering rules of the European Union affect the FinTech sector?

The European Union has taken another step in regulating the prevention of money laundering and terrorist financing. Unlike the past steps, this is not just a clarification of the existing rules. An extensive reform is on the horizon and its objective is to harmonise requirements and strengthen supervision. The new requirements will affect all financial institutions and other obliged persons, but as the authors Anneli Krunks and Elina Lorens highlight, fintech companies should pay particular attention.

The new anti-money laundering and counter-terrorist financing (AML/CTF) package of the European Union is significantly more comprehensive and broader than previous regulations in this area. In addition to clarifying the existing requirements, the package includes a number of new and additional requirements that will make the prevention of money laundering and terrorist financing more straightforward for both market participants and supervisors. Whilst the new requirements will bring changes for all financial institutions, they will have a greater impact on companies in the fintech sector, which generally provide services cross border. 

Which fintech companies should pay particular attention?

AML/CTF requirements are generally only binding on ‘obliged parties’. Whilst the first EU regulation on this subject limited the list of obliged persons to credit and financial institutions, the list has expanded considerably over time. The new regulation will broaden the scope of regulated parties to include even more companies from the fintech sector in particular. 

The new requirements will include, for example, financial intermediaries, including crowdfunding platforms and mortgage and consumer credit intermediaries, which until now have been excluded from regulation, at least at the EU level. Estonia has already included credit intermediaries as obliged persons at the national level in the past, so this may not have such a significant impact in the Estonian context. At the same time, it is certainly welcoming that the regulation is becoming more harmonised in this respect, as until now Estonian credit intermediaries have been at a disadvantage compared to credit intermediaries in other EU member states. 

However, this is an important change for crowdfunding platforms both in the European Union in general and in Estonia, as they have not been among obliged persons in Estonia either. As a result of the new regulation, crowdfunding platforms will have to apply AML/CFT requirements in full, leading to significant additional compliance costs. As this is a completely new regulated area for crowdfunding platforms, they should bring themselves up to date with the requirements and start applying them in good time. 

In relation to the European Markets in Crypto Assets Regulation (MiCAR), the AML/CTF requirements on the EU level started also to apply to crypto-asset service providers. The AML/CTF package of the European Union will not change this. However, the threshold above which a crypto-asset service provider must apply due diligence measures outside the customer relationship will be significantly reduced – from €10,000 to €1,000. Thus, crypto-asset service providers will have to apply the AML/CTF requirements on a much broader scale than before. 

What are the significant changes concerning due diligence measures?

The new regulation broadly maintains the basic requirements for the application of due diligence measures that have been in effect at EU level until now. However, the new regulation defines the requirements in considerably greater detail. 

Thus, the new regulation contains a list of data and documents that must be collected from the customer. In addition, the updated requirements include the identification of the customer and beneficial owner and the verification of data through more clearly defined sources of information, the assessment of the purpose and nature of the business relationship (which now also applies to occasional transactions) and the continuous monitoring of transactions to ensure that they match the customer’s profile and usual activity. 

One of the most important changes concerns the outsourcing of AML/CTF tasks to service providers. The use of service providers has been widespread among the market participants to fulfil their AML/CFT functions. This is especially the case for fintech companies, which generally do not meet the customer physically when providing financial services digitally. For example, financial institutions have used different solutions (such as post offices or information points) to identify customers, carry out background checks on customers or monitor the transactions of customers. Digital development has also broadened the profile of services that can be purchased from service providers (e.g. identification based on biometric data). However, the new requirements impose strict limits on what tasks can be outsourced to a service provider. For example, outsourcing activities related to the establishment of a business relationship or the assessment of customer risk to a service provider is prohibited. Also, while service providers can continue monitoring customer transactions, the requirements for monitoring transactions must be set by the obliged person. 

For Estonian companies, the new requirements on due diligence measures mean, above all, the need to strengthen internal control procedures and invest in appropriate compliance systems. 

How is enhancing supervision planned?

The establishment of a supervisory institution (AMLA) at the level of the European Union was also part of the AML/CTF package. One of the objectives of the AMLA is direct supervision. However, as only the highest risk credit and financial institutions with significant cross-border activities will be subject to AMLA supervision, it is unlikely that any Estonian fintech company will be included in this group in the coming years. It may, however, include some of the larger fintech companies in the Baltics and Europe that operate cross–border basis. 

In addition to direct supervision, the AMLA aims to strengthen and harmonise supervision across the European Union. However, this will contribute to the harmonisation of supervisory practices and interpretations and views in the Member States, allowing to presume to some degree that supervisory practices in one Member State and in another Member State are similar in a given situation. This will certainly have a positive impact on Estonian fintech companies operating cross–border basis. 

Will the new regulation lead to the long-awaited harmonisation of requirements?

AML rules have been in effect at the EU level for a long time. However, one of the problems with the current rules has been that they have not been directly applicable. Each Member State has therefore implemented them slightly differently in its national law. Another problem has been the generality of the requirements at the EU level. The issue of money laundering prevention and combating money laundering has become particularly topical in the last decade, creating a need for more precise regulation in the market. This need has been addressed by the EU member states themselves through a large number of additional national requirements. However, this has led to a situation where AML/CTF requirements differ significantly across member states  

Different requirements in turn impose restrictions on cross-border activity. Companies in the financial sector, in particular fintech companies, generally offer their services cross-border in other member states as well. However, this means that before entering a new market, it is necessary to familiarise oneself with the specific requirements of that member state. As the differences are sometimes quite significant, this means significant costs for the company. 

The European Union’s new AML/CTF package is certainly a step forward in this area. Most of the regulations in the package are directly applicable in the member states and do not require transposition into national law. This also reduces the possibility of requirements varying from country to country. The new package of regulations is also more detailed than before, which will also contribute to the harmonisation of requirements. The new requirements could therefore lead to some harmonisation. However, this is overshadowed by the fact that nationally imposed requirements in the member states continue to be significantly more precise than the EU requirements. Some differences between member states are therefore inevitable.

The new requirements will become applicable gradually from this year until 2029. In order to ensure compliance, it is important that it is clear to companies at an early stage which requirements will apply at which point in time.

This article was originally published in Estonian on April 10 in the financial news section of Äripäev.