“Innovation leads, regulation follows” so said consultancy firm Deloitte in a recent report. Another way of putting it is that regulation follows technology. And this couldn’t be more true than with the Fifth Anti-Money Laundering Directive  (AMLD5), adopted by the European Parliament in April this year. The directive is an extension of the last iteration, AMLD4, and both are an attempt by regulators to tackle head-on the growing power, and therefore risk, of the use of technology by those in the criminal underworld.

The aim of AMLD5 is to continue to prevent and ultimately stop the financing of terrorists and prevent money laundering throughout the financial systems of the EU. This, of course, was also the aim of AMLD4, but the latest version, while not involving change as sweeping as the previous one, in some ways goes further. It aims to better define virtual currencies, the changes required to address crime using prepaid cards, and rules around information sharing. 

What the changes mean

AMLD4 addressed the risks by mandating that ‘obliged entities’ – such as banks – must meet new registration and due diligence requirements, and that a central register had to be maintained regarding ownership of companies operating within the EU.  However, AMLD4 did not, according to the European Central Bank, go far enough. The Bank stated that AMLD4 did not fully address the latest risks posted by money laundering and terrorist financing. 

Recent terrorist attacks throughout Europe – and elsewhere – have made this top of the agenda for the regulators. In addition, the scandal of the so-called Panama Papers in 2016 followed in 2017 by the publication of the Paradise Papers provided an insight into the many and varied ways the wealthy can exploit secretive offshore tax regimes – and sent shockwaves around the world.

AMLD5 proposes a number of amendments to the fourth directive to help further strengthen and prevent money laundering, especially around new technologies, which would have previously been excluded. AMLD5 proposes a public registry of beneficial owners of legal entities, but crucially also, for the first time, addresses the potential risks of virtual and cryptocurrencies such as Bitcoin.

Some of the key changes are as follows:

‘Letterbox’ companies

Under the new regulations, anyone can now access information about who are the real owners of so-called ‘letterbox’ companies operating in the EU and so reveal any corruption that they may be concealing, including tax evasion. In addition, it allows those with a ‘legitimate interest’ – such as investigative journalists – to find out about beneficial owners of trusts.  As the Council on Foreign Relations states, “Because of the secrecy they can provide, anonymous companies represent an important nexus of corruption, money laundering, transnational organized crime, and terrorism.”

Virtual currencies

The anonymity of virtual currencies, like their transparency, is both a strength and a weakness.  AMLD5 states that virtual currency exchange platforms and custodian wallet providers will, like traditional finance institutions, have to apply customer due diligence controls, including customer verification requirements, and will have to be registered. 

Prepaid cards

General purpose prepaid cards have legitimate uses. However, anonymous prepaid cards are easily used in financing terrorist attacks and logistics. The new arrangements call for a reduction in the threshold for identifying the holders of prepaid cards; from €250 to €150.

Extension to other companies

The new directive will now cover all forms of tax advisory services, letting agents, and art dealers, as well as electronic wallet providers and virtual currency exchange service providers.

Other changes

Other changes required by the new directive include mandating that centralised national bank and payment account registers or central data retrieval systems are in place and must be accessible by all EU members. In addition, there must be more stringent safeguards for financial transactions to and from countries regarded as high risk. It also specifies that there must be greater cooperation between financial intelligence units.

The challenges for a business of adopting these new standards

Businesses that, until now, did not have to take very much notice of anti-money laundering directives will now have to do so just as financial institutions and advisors such as accountants and tax specialists had to do previously. Anyone involved in virtual currency exchange platforms or custodian wallets will have to comply with the new requirements, including registering with national anti-money laundering authorities. They will also have to observe due diligence, monitor virtual currency transactions and blow the whistle on anything they might consider suspicious. 

Due diligence

The due diligence point is interesting.  The approach for the review of existing customers in the current framework is risk-based which can leave it open to interpretation. However, given the now relatively high risk of money laundering and terrorist financing, it is therefore important to ensure that certain clearly-specified categories of existing customers are also monitored on a regular basis.  From onboarding procedures to ongoing documentation, obliged entities will now be required to collect, keep up-to-date and share customer information. 


Businesses will need to ensure that all relevant staff understand the directive and the implications and will have to provide appropriate information and training. And it is all approaching very quickly; the dates for implementation are in stages throughout 2020.


There will, of course, be cost implications, not only operationally but also from the perspective of the reputational damage that could occur if businesses fall short. Companies that do not comply with the new legislation also risk large fines. In January 2017, the FCA fined Deutsche Bank £163 million for serious anti-money laundering controls failings. This was the largest financial penalty for AML controls failings ever imposed by the FCA, who found that Deutsche Bank exposed the UK financial system to the risks of financial crime by failing to properly oversee the formation of new customer relationships and the booking of global business in the UK. 

Of course, as with most issues in the UK currently, it is hard to avoid mentioning Brexit in this context. Whether the UK will comply with the EU directive is not certain, although it is highly likely. While companies do not have to take any immediate steps, other than ensuring they maintain compliance with the previous directive, the new directive is something they should keep a very close eye on in case they are required to implement changes to operating practices or controls as a direct result of the new regulations.   

Josh Gunnell, Head of Fraud and ID Pre-sales, TransUnion (formerly Callcredit)